CVE-2021-4435

Published: Feb 4, 2024Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.

Affected (1)

Products: Yarnpkg: Yarn

Yarnpkg

1 product

Yarn

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yarnpkg Yarn	Before 1.22.13

Related CWEs

CWE-426

Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

References (8)

https://access.redhat.com/security/cve/CVE-2021-4435

Source: patrick@puiterwijk.org

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2262284

Source: patrick@puiterwijk.org

Issue Tracking

https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1

Source: patrick@puiterwijk.org

Patch

https://github.com/yarnpkg/yarn/releases/tag/v1.22.13

Source: patrick@puiterwijk.org

Release Notes

https://access.redhat.com/security/cve/CVE-2021-4435

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2262284

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/yarnpkg/yarn/releases/tag/v1.22.13

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

Timeline

No history available yet.