cve-2019-10773
Vulnerability from cvelistv5
Published
2019-12-16 19:31
Modified
2024-08-04 22:32
Severity ?
Summary
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
References
report@snyk.iohttps://access.redhat.com/errata/RHSA-2020:0475
report@snyk.iohttps://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/Exploit, Third Party Advisory
report@snyk.iohttps://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7Patch, Third Party Advisory
report@snyk.iohttps://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023Exploit, Third Party Advisory
report@snyk.iohttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
report@snyk.iohttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/
report@snyk.iohttps://snyk.io/vuln/SNYK-JS-YARN-537806%2C
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0475
af854a3a-2127-422b-91ae-364da2661108https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/
af854a3a-2127-422b-91ae-364da2661108https://snyk.io/vuln/SNYK-JS-YARN-537806%2C
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:32:01.551Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JS-YARN-537806%2C"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/"
          },
          {
            "name": "FEDORA-2020-766ce5adae",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/"
          },
          {
            "name": "FEDORA-2020-7525beefa1",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/"
          },
          {
            "name": "RHSA-2020:0475",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0475"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Yarn",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "All versions prior to version 1.21.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted \"bin\" keys. Existing files could be overwritten depending on the current user permission set."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Arbitrary File Write",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-11T20:06:06",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JS-YARN-537806%2C"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/"
        },
        {
          "name": "FEDORA-2020-766ce5adae",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/"
        },
        {
          "name": "FEDORA-2020-7525beefa1",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/"
        },
        {
          "name": "RHSA-2020:0475",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0475"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2019-10773",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Yarn",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions prior to version 1.21.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted \"bin\" keys. Existing files could be overwritten depending on the current user permission set."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Arbitrary File Write"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-JS-YARN-537806,",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JS-YARN-537806,"
            },
            {
              "name": "https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7",
              "refsource": "MISC",
              "url": "https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7"
            },
            {
              "name": "https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023",
              "refsource": "CONFIRM",
              "url": "https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023"
            },
            {
              "name": "https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/",
              "refsource": "MISC",
              "url": "https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/"
            },
            {
              "name": "FEDORA-2020-766ce5adae",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/"
            },
            {
              "name": "FEDORA-2020-7525beefa1",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/"
            },
            {
              "name": "RHSA-2020:0475",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0475"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2019-10773",
    "datePublished": "2019-12-16T19:31:34",
    "dateReserved": "2019-04-03T00:00:00",
    "dateUpdated": "2024-08-04T22:32:01.551Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.21.1\", \"matchCriteriaId\": \"6AD33651-1103-4375-8BCF-983DBCDF6470\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted \\\"bin\\\" keys. Existing files could be overwritten depending on the current user permission set.\"}, {\"lang\": \"es\", \"value\": \"En Yarn versiones anteriores a 1.21.1, la funcionalidad package install puede ser abusada para generar enlaces simb\\u00f3licos arbitrarios en el sistema de archivos host mediante el uso de teclas \\\"bin\\\" especialmente dise\\u00f1adas. Los archivos existentes podr\\u00edan ser sobrescritos dependiendo del conjunto de permisos del usuario actual.\"}]",
      "id": "CVE-2019-10773",
      "lastModified": "2024-11-21T04:19:53.623",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2019-12-16T20:15:14.477",
      "references": "[{\"url\": \"https://access.redhat.com/errata/RHSA-2020:0475\", \"source\": \"report@snyk.io\"}, {\"url\": \"https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7\", \"source\": \"report@snyk.io\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023\", \"source\": \"report@snyk.io\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/\", \"source\": \"report@snyk.io\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/\", \"source\": \"report@snyk.io\"}, {\"url\": \"https://snyk.io/vuln/SNYK-JS-YARN-537806%2C\", \"source\": \"report@snyk.io\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2020:0475\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://snyk.io/vuln/SNYK-JS-YARN-537806%2C\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "report@snyk.io",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-59\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-10773\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2019-12-16T20:15:14.477\",\"lastModified\":\"2024-11-21T04:19:53.623\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted \\\"bin\\\" keys. Existing files could be overwritten depending on the current user permission set.\"},{\"lang\":\"es\",\"value\":\"En Yarn versiones anteriores a 1.21.1, la funcionalidad package install puede ser abusada para generar enlaces simb\u00f3licos arbitrarios en el sistema de archivos host mediante el uso de teclas \\\"bin\\\" especialmente dise\u00f1adas. Los archivos existentes podr\u00edan ser sobrescritos dependiendo del conjunto de permisos del usuario actual.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.21.1\",\"matchCriteriaId\":\"6AD33651-1103-4375-8BCF-983DBCDF6470\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0475\",\"source\":\"report@snyk.io\"},{\"url\":\"https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/\",\"source\":\"report@snyk.io\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/\",\"source\":\"report@snyk.io\"},{\"url\":\"https://snyk.io/vuln/SNYK-JS-YARN-537806%2C\",\"source\":\"report@snyk.io\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2020:0475\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://snyk.io/vuln/SNYK-JS-YARN-537806%2C\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.