Vulnerability Description
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Yarnpkg | Yarn | < 1.19.0 |
Related Weaknesses (CWE)
References
- https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
- https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
- https://hackerone.com/reports/703138ExploitMitigationThird Party Advisory
- https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
- https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
- https://hackerone.com/reports/703138ExploitMitigationThird Party Advisory
FAQ
What is CVE-2019-15608?
CVE-2019-15608 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. Thi...
How severe is CVE-2019-15608?
CVE-2019-15608 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-15608?
Check the references section above for vendor advisories and patch information. Affected products include: Yarnpkg Yarn.