CVE-2019-10773

Exploit

EPSS 0.57%
Published 16.12.2019 20:15:14
Last modified 21.11.2024 04:19:53
Source report@snyk.io
Teams watchlist Login
Open Login

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

Affected products Warnungen 0 Metrics 3 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Yarnpkg ≫ Yarn Version < 1.21.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.57%	0.673

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://access.redhat.com/errata/RHSA-2020:0475

https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/

Third Party Advisory

Exploit

https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7

Patch

Third Party Advisory

https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023

Third Party Advisory

Exploit

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/

https://snyk.io/vuln/SNYK-JS-YARN-537806%2C

https://nvd.nist.gov/vuln/detail/CVE-2019-10773

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-10773

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-10773

EUVD