PT-2019-12044 · Facebook+1 · Yarn+1

Published

2019-12-16

Updated

2020-05-21

CVE-2019-10773

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Yarn versions prior to 1.21.1

Description The package install functionality in Yarn can be exploited to create arbitrary symlinks on the host filesystem. This can be achieved by using specially crafted "bin" keys. Depending on the current user's permission set, existing files could be overwritten.

Recommendations For versions prior to 1.21.1, update to version 1.21.1 or later to resolve the issue. As a temporary workaround, consider restricting the package install functionality until the update is applied.

Exploit

Fix

OS Command Injection

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-59

Related Identifiers

ALT-PU-2020-1415

ALT-PU-2020-1988

CVE-2019-10773

GHSA-5XF4-F2FQ-F69J

SNYK-JS-YARN-537806

Affected Products

Alt Linux

Yarn

PT-2019-12044 · Facebook+1 · Yarn+1

CVE-2019-10773

Weakness Enumeration

Related Identifiers

Affected Products

References · 22