Main Vulnerability Database SB2020031527

SB2020031527 - Time-of-check Time-of-use (TOCTOU) Race Condition in yarn

Published: March 15, 2020 Updated: August 8, 2020

Security Bulletin ID SB2020031527

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2019-15608)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.

Remediation

Install update from vendor's website.

References

https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
https://hackerone.com/reports/703138