SB2019121623 - Link following in Yarn yarn
Published: December 16, 2019 Updated: July 17, 2020
Security Bulletin ID
SB2019121623
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Link following (CVE-ID: CVE-2019-10773)
The vulnerability allows a local non-authenticated attacker to execute arbitrary code.
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
Remediation
Install update from vendor's website.
References
- https://access.redhat.com/errata/RHSA-2020:0475
- https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
- https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
- https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/
- https://snyk.io/vuln/SNYK-JS-YARN-537806,