CVE-2018-12556 — MEDIUM (5.9)

Q: How severe is CVE-2018-12556?

CVE-2018-12556 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-12556?

Check the references section above for vendor advisories and patch information. Affected products include: Yarnpkg Website.

Vulnerability Description

The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.

CVSS Score

5.9

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Yarnpkg	Website	<= 2018-06-05

Related Weaknesses (CWE)

CWE-347

References

http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2019/Apr/38Mailing ListThird Party Advisory
https://github.com/RUB-NDS/Johnny-You-Are-FiredThird Party Advisory
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pThird Party Advisory
https://github.com/yarnpkg/website/commits/masterThird Party Advisory
https://www.openwall.com/lists/oss-security/2019/04/30/4Mailing ListThird Party Advisory
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2019/Apr/38Mailing ListThird Party Advisory
https://github.com/RUB-NDS/Johnny-You-Are-FiredThird Party Advisory
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pThird Party Advisory
https://github.com/yarnpkg/website/commits/masterThird Party Advisory
https://www.openwall.com/lists/oss-security/2019/04/30/4Mailing ListThird Party Advisory

FAQ

What is CVE-2018-12556?

CVE-2018-12556 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does n...

How severe is CVE-2018-12556?

CVE-2018-12556 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-12556?

Check the references section above for vendor advisories and patch information. Affected products include: Yarnpkg Website.