HIGH 7.8

GHSA-5xf4-f2fq-f69j

Yarn Improper link resolution before file access (Link Following)

Details

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / yarn

Introduced in: 0 Fixed in: 1.22.0

Fix npm install yarn@1.22.0

References

https://nvd.nist.gov/vuln/detail/CVE-2019-10773 [ADVISORY]
https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023 [WEB]
https://github.com/yarnpkg/yarn/pull/7755 [WEB]
https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7 [WEB]
https://access.redhat.com/errata/RHSA-2020:0475 [WEB]
https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5 [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI [WEB]
https://snyk.io/vuln/SNYK-JS-YARN-537806, [WEB]