Описание
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
A flaw was found in Yarn. The package integrity validation in Yarn contains a time-of-check to time-of-use (TOCTOU) vulnerability where the hash is computed before writing a package to cache and is not computed again when reading from the cache. This flaw may lead to a cache pollution attack. The highest threat from this vulnerability is to integrity.
Меры по смягчению последствий
Run 'yarn cache clean' before installs.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Quay 3 | yarn | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
4.4 Medium
CVSS3
Связанные уязвимости
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vu ...
EPSS
4.4 Medium
CVSS3