PT-2020-9730 · Yarn+1 · Yarn+1

Published

2020-03-01

Updated

2022-02-09

CVE-2019-15608

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions yarn versions prior to 1.19.0

Description The issue concerns a TOCTOU vulnerability in the package integrity validation. This vulnerability occurs because the hash is computed before writing a package to the cache, but it is not computed again when reading from the cache. This may lead to a cache pollution attack.

Recommendations For versions prior to 1.19.0, update to version 1.19.0 to resolve the issue.

Exploit

Fix

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-367CWE-840

Related Identifiers

ALT-PU-2020-1415

ALT-PU-2020-1988

CVE-2019-15608

GHSA-HJXC-462X-X77J

Affected Products

Alt Linux

Yarn

PT-2020-9730 · Yarn+1 · Yarn+1

CVE-2019-15608

Weakness Enumeration

Related Identifiers

Affected Products

References · 11