Search criteria
8 vulnerabilities by yarnpkg
CVE-2025-9308 (GCVE-0-2025-9308)
Vulnerability from cvelistv5 – Published: 2025-08-21 16:02 – Updated: 2025-08-21 17:32
VLAI?
Summary
A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| yarnpkg | Yarn |
Affected:
1.22.0
Affected: 1.22.1 Affected: 1.22.2 Affected: 1.22.3 Affected: 1.22.4 Affected: 1.22.5 Affected: 1.22.6 Affected: 1.22.7 Affected: 1.22.8 Affected: 1.22.9 Affected: 1.22.10 Affected: 1.22.11 Affected: 1.22.12 Affected: 1.22.13 Affected: 1.22.14 Affected: 1.22.15 Affected: 1.22.16 Affected: 1.22.17 Affected: 1.22.18 Affected: 1.22.19 Affected: 1.22.20 Affected: 1.22.21 Affected: 1.22.22 |
Credits
mmmsssttt (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9308",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-21T17:24:36.331263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T17:32:14.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/yarnpkg/yarn/pull/9203"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Yarn",
"vendor": "yarnpkg",
"versions": [
{
"status": "affected",
"version": "1.22.0"
},
{
"status": "affected",
"version": "1.22.1"
},
{
"status": "affected",
"version": "1.22.2"
},
{
"status": "affected",
"version": "1.22.3"
},
{
"status": "affected",
"version": "1.22.4"
},
{
"status": "affected",
"version": "1.22.5"
},
{
"status": "affected",
"version": "1.22.6"
},
{
"status": "affected",
"version": "1.22.7"
},
{
"status": "affected",
"version": "1.22.8"
},
{
"status": "affected",
"version": "1.22.9"
},
{
"status": "affected",
"version": "1.22.10"
},
{
"status": "affected",
"version": "1.22.11"
},
{
"status": "affected",
"version": "1.22.12"
},
{
"status": "affected",
"version": "1.22.13"
},
{
"status": "affected",
"version": "1.22.14"
},
{
"status": "affected",
"version": "1.22.15"
},
{
"status": "affected",
"version": "1.22.16"
},
{
"status": "affected",
"version": "1.22.17"
},
{
"status": "affected",
"version": "1.22.18"
},
{
"status": "affected",
"version": "1.22.19"
},
{
"status": "affected",
"version": "1.22.20"
},
{
"status": "affected",
"version": "1.22.21"
},
{
"status": "affected",
"version": "1.22.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in yarnpkg Yarn bis 1.22.22 entdeckt. Betroffen hiervon ist die Funktion setOptions der Datei src/util/request-manager.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff muss auf lokaler Ebene erfolgen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T16:02:12.172Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-320913 | yarnpkg Yarn request-manager.js setOptions redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.320913"
},
{
"name": "VDB-320913 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.320913"
},
{
"name": "Submit #633486 | yarn Yarn src/util/request-manager.js v1.22.22 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.633486"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/yarnpkg/yarn/pull/9203"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2025-08-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-21T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-21T08:03:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "yarnpkg Yarn request-manager.js setOptions redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9308",
"datePublished": "2025-08-21T16:02:12.172Z",
"dateReserved": "2025-08-21T05:58:24.411Z",
"dateUpdated": "2025-08-21T17:32:14.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8262 (GCVE-0-2025-8262)
Vulnerability from cvelistv5 – Published: 2025-07-28 07:02 – Updated: 2025-07-28 17:16
VLAI?
Summary
A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| yarnpkg | Yarn |
Affected:
1.22.0
Affected: 1.22.1 Affected: 1.22.2 Affected: 1.22.3 Affected: 1.22.4 Affected: 1.22.5 Affected: 1.22.6 Affected: 1.22.7 Affected: 1.22.8 Affected: 1.22.9 Affected: 1.22.10 Affected: 1.22.11 Affected: 1.22.12 Affected: 1.22.13 Affected: 1.22.14 Affected: 1.22.15 Affected: 1.22.16 Affected: 1.22.17 Affected: 1.22.18 Affected: 1.22.19 Affected: 1.22.20 Affected: 1.22.21 Affected: 1.22.22 |
Credits
mmmsssttt (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8262",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T17:13:41.425895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T17:16:45.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Yarn",
"vendor": "yarnpkg",
"versions": [
{
"status": "affected",
"version": "1.22.0"
},
{
"status": "affected",
"version": "1.22.1"
},
{
"status": "affected",
"version": "1.22.2"
},
{
"status": "affected",
"version": "1.22.3"
},
{
"status": "affected",
"version": "1.22.4"
},
{
"status": "affected",
"version": "1.22.5"
},
{
"status": "affected",
"version": "1.22.6"
},
{
"status": "affected",
"version": "1.22.7"
},
{
"status": "affected",
"version": "1.22.8"
},
{
"status": "affected",
"version": "1.22.9"
},
{
"status": "affected",
"version": "1.22.10"
},
{
"status": "affected",
"version": "1.22.11"
},
{
"status": "affected",
"version": "1.22.12"
},
{
"status": "affected",
"version": "1.22.13"
},
{
"status": "affected",
"version": "1.22.14"
},
{
"status": "affected",
"version": "1.22.15"
},
{
"status": "affected",
"version": "1.22.16"
},
{
"status": "affected",
"version": "1.22.17"
},
{
"status": "affected",
"version": "1.22.18"
},
{
"status": "affected",
"version": "1.22.19"
},
{
"status": "affected",
"version": "1.22.20"
},
{
"status": "affected",
"version": "1.22.21"
},
{
"status": "affected",
"version": "1.22.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in yarnpkg Yarn bis 1.22.22 ausgemacht. Es betrifft die Funktion explodeHostedGitFragment der Datei src/resolvers/exotics/hosted-git-resolver.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Patch wird als 97731871e674bf93bcbf29e9d3258da8685f3076 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T07:02:05.616Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-317850 | yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.317850"
},
{
"name": "VDB-317850 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.317850"
},
{
"name": "Submit #617393 | Yarn v1.22.22 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.617393"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/yarnpkg/yarn/pull/9199"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/yarnpkg/yarn/pull/9199/commits/97731871e674bf93bcbf29e9d3258da8685f3076"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-26T18:29:39.000Z",
"value": "VulDB entry last update"
}
],
"title": "yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8262",
"datePublished": "2025-07-28T07:02:05.616Z",
"dateReserved": "2025-07-26T16:24:06.079Z",
"dateUpdated": "2025-07-28T17:16:45.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4435 (GCVE-0-2021-4435)
Vulnerability from cvelistv5 – Published: 2024-02-04 19:16 – Updated: 2025-06-17 14:29
VLAI?
Summary
An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.
Severity ?
7.7 (High)
CWE
- CWE-426 - Untrusted Search Path
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
Credits
Red Hat would like to thank Paul Gerste (Sonar) for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:30:07.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-4435"
},
{
"name": "RHBZ#2262284",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262284"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/yarnpkg/yarn/releases/tag/v1.22.13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T14:29:04.160012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T14:29:17.224Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "yarn",
"vendor": "n/a",
"versions": [
{
"status": "unaffected",
"version": "1.22.13"
}
]
},
{
"collectionURL": "https://packages.fedoraproject.org/",
"defaultStatus": "unaffected",
"packageName": "yarnpkg",
"product": "Fedora",
"vendor": "Fedora"
},
{
"collectionURL": "https://packages.fedoraproject.org/",
"defaultStatus": "unaffected",
"packageName": "yarnpkg",
"product": "Extra Packages for Enterprise Linux",
"vendor": "Fedora"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Paul Gerste (Sonar) for reporting this issue."
}
],
"datePublic": "2021-09-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-426",
"description": "Untrusted Search Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-04T19:16:35.651Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-4435"
},
{
"name": "RHBZ#2262284",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262284"
},
{
"url": "https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1"
},
{
"url": "https://github.com/yarnpkg/yarn/releases/tag/v1.22.13"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-10-23T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2021-09-20T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Yarn: untrusted search path",
"x_redhatCweChain": "CWE-426: Untrusted Search Path"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2021-4435",
"datePublished": "2024-02-04T19:16:35.651Z",
"dateReserved": "2024-02-01T14:23:02.896Z",
"dateUpdated": "2025-06-17T14:29:17.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15608 (GCVE-0-2019-15608)
Vulnerability from cvelistv5 – Published: 2020-03-15 17:08 – Updated: 2024-08-05 00:49
VLAI?
Summary
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
Severity ?
No CVSS data available.
CWE
- CWE-840 - Business Logic Errors (CWE-840)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:49:13.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/703138"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "yarn",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 1.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The package integrity validation in yarn \u003c 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It\u0027s not computed again when reading from the cache. This may lead to a cache pollution attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-840",
"description": "Business Logic Errors (CWE-840)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-21T00:21:41",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/703138"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-15608",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "yarn",
"version": {
"version_data": [
{
"version_value": "Fixed in 1.19.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package integrity validation in yarn \u003c 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It\u0027s not computed again when reading from the cache. This may lead to a cache pollution attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Business Logic Errors (CWE-840)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/703138",
"refsource": "MISC",
"url": "https://hackerone.com/reports/703138"
},
{
"name": "https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c",
"refsource": "MISC",
"url": "https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c"
},
{
"name": "https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190",
"refsource": "MISC",
"url": "https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2019-15608",
"datePublished": "2020-03-15T17:08:13",
"dateReserved": "2019-08-26T00:00:00",
"dateUpdated": "2024-08-05T00:49:13.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8131 (GCVE-0-2020-8131)
Vulnerability from cvelistv5 – Published: 2020-02-24 14:41 – Updated: 2024-08-04 09:48
VLAI?
Summary
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:25.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/730239"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/yarnpkg/yarn/pull/7831"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "yarn",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed Version: 1.22.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-28T19:29:35",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/730239"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yarnpkg/yarn/pull/7831"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8131",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "yarn",
"version": {
"version_data": [
{
"version_value": "Fixed Version: 1.22.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/730239",
"refsource": "MISC",
"url": "https://hackerone.com/reports/730239"
},
{
"name": "https://github.com/yarnpkg/yarn/pull/7831",
"refsource": "CONFIRM",
"url": "https://github.com/yarnpkg/yarn/pull/7831"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8131",
"datePublished": "2020-02-24T14:41:23",
"dateReserved": "2020-01-28T00:00:00",
"dateUpdated": "2024-08-04T09:48:25.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10773 (GCVE-0-2019-10773)
Vulnerability from cvelistv5 – Published: 2019-12-16 19:31 – Updated: 2024-08-04 22:32
VLAI?
Summary
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
Severity ?
No CVSS data available.
CWE
- Arbitrary File Write
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:32:01.551Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-YARN-537806%2C"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/"
},
{
"name": "FEDORA-2020-766ce5adae",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/"
},
{
"name": "FEDORA-2020-7525beefa1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/"
},
{
"name": "RHSA-2020:0475",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0475"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Yarn",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 1.21.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted \"bin\" keys. Existing files could be overwritten depending on the current user permission set."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Arbitrary File Write",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-11T20:06:06",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-YARN-537806%2C"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/"
},
{
"name": "FEDORA-2020-766ce5adae",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/"
},
{
"name": "FEDORA-2020-7525beefa1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/"
},
{
"name": "RHSA-2020:0475",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0475"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10773",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Yarn",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 1.21.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted \"bin\" keys. Existing files could be overwritten depending on the current user permission set."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary File Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-YARN-537806,",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-YARN-537806,"
},
{
"name": "https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7",
"refsource": "MISC",
"url": "https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7"
},
{
"name": "https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023",
"refsource": "CONFIRM",
"url": "https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023"
},
{
"name": "https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/",
"refsource": "MISC",
"url": "https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/"
},
{
"name": "FEDORA-2020-766ce5adae",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/"
},
{
"name": "FEDORA-2020-7525beefa1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/"
},
{
"name": "RHSA-2020:0475",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0475"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2019-10773",
"datePublished": "2019-12-16T19:31:34",
"dateReserved": "2019-04-03T00:00:00",
"dateUpdated": "2024-08-04T22:32:01.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5448 (GCVE-0-2019-5448)
Vulnerability from cvelistv5 – Published: 2019-07-30 20:15 – Updated: 2024-08-04 19:54
VLAI?
Summary
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Severity ?
No CVSS data available.
CWE
- CWE-311 - Missing Encryption of Sensitive Data (CWE-311)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:54:53.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/640904"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "yarn",
"vendor": "yarn",
"versions": [
{
"status": "affected",
"version": "Fixed in 1.17.3"
}
]
}
],
"datePublic": "2019-07-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "Missing Encryption of Sensitive Data (CWE-311)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-30T20:15:57",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/640904"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-5448",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "yarn",
"version": {
"version_data": [
{
"version_value": "Fixed in 1.17.3"
}
]
}
}
]
},
"vendor_name": "yarn"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Encryption of Sensitive Data (CWE-311)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/640904",
"refsource": "MISC",
"url": "https://hackerone.com/reports/640904"
},
{
"name": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md",
"refsource": "MISC",
"url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
},
{
"name": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/",
"refsource": "CONFIRM",
"url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2019-5448",
"datePublished": "2019-07-30T20:15:57",
"dateReserved": "2019-01-04T00:00:00",
"dateUpdated": "2024-08-04T19:54:53.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12556 (GCVE-0-2018-12556)
Vulnerability from cvelistv5 – Published: 2019-05-16 16:12 – Updated: 2024-08-05 08:38
VLAI?
Summary
The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:38:06.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yarnpkg/website/commits/master"
},
{
"name": "20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/Apr/38"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"
},
{
"name": "[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/30/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-04-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-16T16:12:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yarnpkg/website/commits/master"
},
{
"name": "20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2019/Apr/38"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"
},
{
"name": "[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://www.openwall.com/lists/oss-security/2019/04/30/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-12556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/yarnpkg/website/commits/master",
"refsource": "MISC",
"url": "https://github.com/yarnpkg/website/commits/master"
},
{
"name": "20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2019/Apr/38"
},
{
"name": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"
},
{
"name": "[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)",
"refsource": "MLIST",
"url": "https://www.openwall.com/lists/oss-security/2019/04/30/4"
},
{
"name": "https://github.com/RUB-NDS/Johnny-You-Are-Fired",
"refsource": "MISC",
"url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"
},
{
"name": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf",
"refsource": "MISC",
"url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-12556",
"datePublished": "2019-05-16T16:12:53",
"dateReserved": "2018-06-18T00:00:00",
"dateUpdated": "2024-08-05T08:38:06.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}