CVE-2019-10773 : In Yarn before 1.21.1, the package install functionality can be abused to genera

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

Published 2019-12-16 20:15:14

Updated 2020-02-08 04:15:11

Source Snyk

View at NVD, CVE.org

Products affected by CVE-2019-10773

Yarnpkg » Yarn
Versions before (<) 1.21.1
cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-10773

EPSS FAQ

0.57%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 67 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-10773

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-10773

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-10773

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/

[SECURITY] Fedora 30 Update: nodejs-yarn-1.21.1-1.fc30 - package-announce - Fedora Mailing-Lists
https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/

binary planting and arbitrary file (over)write vulnerabilities in npm, pnpm and yarn | Blog of Daniel Ruf
Exploit;Third Party Advisory
https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023

globally-installed package overwrites an existing binary in the target install location · Issue #7761 · yarnpkg/yarn · GitHub
Exploit;Third Party Advisory
https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7

Fixes bin overwrites (#7755) · yarnpkg/yarn@039bafd · GitHub
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/

[SECURITY] Fedora 31 Update: nodejs-yarn-1.21.1-1.fc31 - package-announce - Fedora Mailing-Lists
https://access.redhat.com/errata/RHSA-2020:0475

RHSA-2020:0475 - Security Advisory - Red Hat Customer Portal

Jump to

Vulnerability Details : CVE-2019-10773

Products affected by CVE-2019-10773

Exploit prediction scoring system (EPSS) score for CVE-2019-10773

CVSS scores for CVE-2019-10773

CWE ids for CVE-2019-10773

References for CVE-2019-10773