PT-2019-12044 · Facebook+1 · Yarn+1

Publicado

2019-12-16

Atualizado

2020-05-21

CVE-2019-10773

CVSS v3.1

7.8

Alta

Vetor

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Yarn versions prior to 1.21.1

Description The package install functionality in Yarn can be exploited to create arbitrary symlinks on the host filesystem. This can be achieved by using specially crafted "bin" keys. Depending on the current user's permission set, existing files could be overwritten.

Recommendations For versions prior to 1.21.1, update to version 1.21.1 or later to resolve the issue. As a temporary workaround, consider restricting the package install functionality until the update is applied.

Exploit

Correção

OS Command Injection

Link Following

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78CWE-59

Identificadores relacionados

ALT-PU-2020-1415

ALT-PU-2020-1988

CVE-2019-10773

GHSA-5XF4-F2FQ-F69J

SNYK-JS-YARN-537806

Produtos afetados

Alt Linux

Yarn

PT-2019-12044 · Facebook+1 · Yarn+1

CVE-2019-10773

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 22