CVE-2019-10773 — HIGH (7.8)

Q: How severe is CVE-2019-10773?

CVE-2019-10773 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-10773?

Check the references section above for vendor advisories and patch information. Affected products include: Yarnpkg Yarn.

Vulnerability Description

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Yarnpkg	Yarn	< 1.21.1

Related Weaknesses (CWE)

CWE-59

References

https://access.redhat.com/errata/RHSA-2020:0475
https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/ExploitThird Party Advisory
https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7PatchThird Party Advisory
https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023ExploitThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://snyk.io/vuln/SNYK-JS-YARN-537806%2C
https://access.redhat.com/errata/RHSA-2020:0475
https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/ExploitThird Party Advisory
https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7PatchThird Party Advisory
https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023ExploitThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://snyk.io/vuln/SNYK-JS-YARN-537806%2C

FAQ

What is CVE-2019-10773?

CVE-2019-10773 is a vulnerability with a CVSS score of 7.8 (HIGH). In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten ...

How severe is CVE-2019-10773?

CVE-2019-10773 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-10773?

Check the references section above for vendor advisories and patch information. Affected products include: Yarnpkg Yarn.