Main Vulnerability Database Vulnerabilities #VU34750

Time-of-check Time-of-use (TOCTOU) Race Condition in yarn - CVE-2019-15608

Published: March 15, 2020 / Updated: August 8, 2020

Vulnerability identifier: #VU34750

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-15608

CWE-ID: CWE-367

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Yarn

Affected software:
yarn

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.

How to mitigate CVE-2019-15608

Install update from vendor's website.

Sources

https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
https://hackerone.com/reports/703138

Time-of-check Time-of-use (TOCTOU) Race Condition in yarn - CVE-2019-15608

Detailed vulnerability description

How to mitigate CVE-2019-15608

Sources

Please verify you're human