Описание
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
An arbitrary file write flaw was found in Yarn. This flaw allows an attacker to write files to a user’s system in unexpected places, potentially leading to remote code execution. The attacker would need to first trick a developer into installing a malicious package.
Отчет
Normally yarn allows packages to run postinstall scripts which can write arbitrary files to the users system. This vulnerability allows an attacker to better hide the attack and also allow arbitrary file write when postinstall scripts are disabled with the '--ignore-scripts' option of 'yarn install'.
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows ...
7.5 High
CVSS3