Fedora 38 update for yarnpkg
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-37599 CVE-2023-26136 CVE-2023-46234 |
| CWE-ID | CWE-185 CWE-1321 CWE-347 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Fedora Operating systems & Components / Operating system yarnpkg Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Incorrect Regular Expression
EUVDB-ID: #VU70122
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-37599
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input passed via the resourcePath variable to interpolateName() function in interpolateName.js. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack. MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 38
yarnpkg: before 1.22.21-2.fc38
External linkshttp://bodhi.fedoraproject.org/updates/FEDORA-2024-5ecc250449
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Prototype pollution
EUVDB-ID: #VU80323
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-26136
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 38
yarnpkg: before 1.22.21-2.fc38
External linkshttp://bodhi.fedoraproject.org/updates/FEDORA-2024-5ecc250449
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU82608
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-46234
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error in the dsaVerify() function when validating public keys. A remote attacker can construct a public key in a way that it will be accepted as valid by the affected application and perform spoofing attack.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 38
yarnpkg: before 1.22.21-2.fc38
External linkshttp://bodhi.fedoraproject.org/updates/FEDORA-2024-5ecc250449
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
