Все бюллетени/p9/ALT-PU-2020-1988-2
ALT-PU-2020-1988-2

Обновление пакета yarn в ветке p9

Версия1.22.4-alt0.1.p9
Задание#251768
Опубликовано2026-02-04
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (6)

CVE-2019-10773
HIGH7.8

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

Опубликовано: 2019-12-16Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 6.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 3.xВЫСОКАЯ 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Ссылки
CVE-2019-15608
MEDIUM5.9

The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.

Опубликовано: 2020-03-15Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 3.xСРЕДНЯЯ 5.9
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Ссылки
CVE-2020-8131
HIGH7.5

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Опубликовано: 2020-02-24Изменено: 2024-11-21
CVSS 2.0СРЕДНЯЯ 5.1
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Ссылки
GHSA-5xf4-f2fq-f69j
HIGH7.8

Yarn Improper link resolution before file access (Link Following)

Опубликовано: 2020-02-15Изменено: 2023-09-09
CVSS 3.xВЫСОКАЯ 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Ссылки