CVE-2019-15608

Published: Mar 15, 2020Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.

Affected (1)

Products: Yarnpkg: Yarn

Yarnpkg

1 product

Yarn

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yarnpkg Yarn	Before 1.19.0

Related CWEs

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

CWE-840

References (6)

https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190

Source: support@hackerone.com

https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c

Source: support@hackerone.com

https://hackerone.com/reports/703138

Source: support@hackerone.com

ExploitMitigationThird Party Advisory

https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c

Source: af854a3a-2127-422b-91ae-364da2661108

https://hackerone.com/reports/703138

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

Timeline

No history available yet.