CVE-2020-8131

Published: Feb 24, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Affected (1)

Products: Yarnpkg: Yarn

Yarnpkg

1 product

Yarn

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yarnpkg Yarn	Up to 1.21.1

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

https://github.com/yarnpkg/yarn/pull/7831

Source: support@hackerone.com

PatchThird Party Advisory

https://hackerone.com/reports/730239

Source: support@hackerone.com

ExploitThird Party Advisory

https://github.com/yarnpkg/yarn/pull/7831

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://hackerone.com/reports/730239

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.