PT-2019-8900 · Yarnpkg · Yarnpkg
Marcus Brinkmann
·
Published
2019-05-16
·
Updated
2019-05-21
·
CVE-2018-12556
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
yarnpkg/website versions prior to 2018-06-05
Description
The issue lies in the signature verification routine of the install.sh script, which only checks if a yarn release is signed by any key in the user's local keyring. This does not ensure the release is signed by the official yarn release key, allowing remote attackers to sign tampered packages with their own key.
Recommendations
For versions prior to 2018-06-05, update to a version released after 2018-06-05 to ensure the signature verification routine correctly pins the signature to the yarn release key.
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Yarnpkg