CVE-2019-10773

Published: Dec 16, 2019Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

Affected (1)

Products: Yarnpkg: Yarn

Yarnpkg

1 product

Yarn

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yarnpkg Yarn	Before 1.21.1

Related CWEs

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (14)

https://access.redhat.com/errata/RHSA-2020:0475

Source: report@snyk.io

https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/

Source: report@snyk.io

ExploitThird Party Advisory

https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7

Source: report@snyk.io

PatchThird Party Advisory

https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023

Source: report@snyk.io

ExploitThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/

Source: report@snyk.io

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/

Source: report@snyk.io

https://snyk.io/vuln/SNYK-JS-YARN-537806%2C

Source: report@snyk.io

https://access.redhat.com/errata/RHSA-2020:0475