Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tcHdqLWZjcjYteDM0Y84AA5DS

Yarn untrusted search path vulnerability

An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.

Permalink: https://github.com/advisories/GHSA-mpwj-fcr6-x34c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tcHdqLWZjcjYteDM0Y84AA5DS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 10 months ago


CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Identifiers: GHSA-mpwj-fcr6-x34c, CVE-2021-4435
References: Repository: https://github.com/yarnpkg/yarn
Blast Radius: 37.9

Affected Packages

npm:yarn
Dependent packages: 3,296
Dependent repositories: 71,861
Downloads: 21,644,115 last month
Affected Version Ranges: < 1.22.13
Fixed in: 1.22.13
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.15.1, 0.16.0, 0.16.1, 0.17.0, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.17.6, 0.17.7, 0.17.8, 0.17.9, 0.17.10, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.19.1, 0.20.0, 0.20.3, 0.20.4, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.27.5, 0.28.1, 0.28.4, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.2.1, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.9.1, 1.9.2, 1.9.4, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.3, 1.13.0, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.21.0, 1.21.1, 1.22.0, 1.22.1, 1.22.4, 1.22.5, 1.22.6, 1.22.7, 1.22.8, 1.22.9, 1.22.10, 1.22.11, 1.22.12
All unaffected versions: 1.22.13, 1.22.14, 1.22.15, 1.22.16, 1.22.17, 1.22.18, 1.22.19, 1.22.20, 1.22.21, 1.22.22, 2.4.3