Link following in Yarn yarn
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-10773 |
| CWE-ID | CWE-59 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
yarn Web applications / Modules and components for CMS |
| Vendor | Yarn |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Link following
EUVDB-ID: #VU30550
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10773
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to execute arbitrary code.
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
MitigationInstall update from vendor's website.
Vulnerable software versionsyarn: 1.21.0
External linkshttp://access.redhat.com/errata/RHSA-2020:0475
http://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
http://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
http://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/
http://snyk.io/vuln/SNYK-JS-YARN-537806,
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
