CVE-2019-10773
HIGH7.8EPSS 0.55%Yarn Improper link resolution before file access (Link Following)
發布日:2020/2/14修改日:2026/3/13
描述
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
受影響套件(2)
- Debian/node-yarnpkgfrom 0, < 1.21.1-1
- npm/yarnfrom 0, < 1.22.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10773
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-10773
- WEBhttps://access.redhat.com/errata/RHSA-2020:0475
- WEBhttps://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn
- WEBhttps://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
- WEBhttps://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
- WEBhttps://github.com/yarnpkg/yarn/pull/7755
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI
- WEBhttps://snyk.io/vuln/SNYK-JS-YARN-537806,