Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Remediation

References

https://github.com/yarnpkg/yarn/pull/7831

https://hackerone.com/reports/730239

Related Vulnerabilities

CVE-2016-2537 Vulnerability in maven package org.webjars.npm:is-my-json-valid

CVE-2022-22880 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base-core

CVE-2022-0219 Vulnerability in maven package io.github.skylot:jadx-core

CVE-2021-41151 Vulnerability in npm package @backstage/plugin-scaffolder-backend

CVE-2016-8747 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit