Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://hackerone.com/reports/730239

https://github.com/yarnpkg/yarn/pull/7831

Related Vulnerabilities

CVE-2023-29215 Vulnerability in maven package org.apache.linkis:linkis-metadata-query-service-jdbc

CVE-2023-49378 Vulnerability in maven package com.jfinal:jfinal

CVE-2022-25908 Vulnerability in npm package create-choo-electron

CVE-2021-32738 Vulnerability in npm package stellar-sdk

CVE-2016-10541 Vulnerability in npm package shell-quote

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Patch