Описание
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | DNE | |
| devel | not-affected | 1.22.19+~cs24.27.18-1 |
| disco | ignored | end of life |
| eoan | ignored | end of life |
| esm-apps/focal | needs-triage | |
| esm-apps/jammy | needs-triage | |
| esm-apps/noble | not-affected | 1.22.19+~cs24.27.18-1 |
| esm-infra-legacy/trusty | DNE | |
| focal | ignored | end of standard support, was needs-triage |
| groovy | ignored | end of life |
Показывать по
Ссылки на источники
6.8 Medium
CVSS2
7.8 High
CVSS3
Связанные уязвимости
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
In Yarn before 1.21.1, the package install functionality can be abused ...
Yarn Improper link resolution before file access (Link Following)
6.8 Medium
CVSS2
7.8 High
CVSS3