#VU30550 Link following in yarn
Vulnerability identifier: #VU30550
Vulnerability risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-59
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
yarn
Web applications /
Modules and components for CMS
Vendor: Yarn
Description
The vulnerability allows a local non-authenticated attacker to execute arbitrary code.
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
Mitigation
Install update from vendor's website.
Vulnerable software versions
yarn: 1.21.0
External links
http://access.redhat.com/errata/RHSA-2020:0475
http://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
http://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
http://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/
http://snyk.io/vuln/SNYK-JS-YARN-537806,
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
