CVE-2019-10773

Exploit

EPSS 0.57%
Veröffentlicht 16.12.2019 20:15:14
Zuletzt bearbeitet 21.11.2024 04:19:53
Quelle report@snyk.io
Teams Watchlist Login
Unerledigt Login

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Yarnpkg ≫ Yarn Version < 1.21.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.57%	0.673

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://access.redhat.com/errata/RHSA-2020:0475

https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/

Third Party Advisory

Exploit

https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7

Patch

Third Party Advisory

https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023

Third Party Advisory

Exploit

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/

https://snyk.io/vuln/SNYK-JS-YARN-537806%2C

https://nvd.nist.gov/vuln/detail/CVE-2019-10773

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-10773

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-10773

EUVD