Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tcHdqLWZjcjYteDM0Y84AA5DS
Yarn untrusted search path vulnerability
An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.
Permalink: https://github.com/advisories/GHSA-mpwj-fcr6-x34cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tcHdqLWZjcjYteDM0Y84AA5DS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-mpwj-fcr6-x34c, CVE-2021-4435
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-4435
- https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1
- https://access.redhat.com/security/cve/CVE-2021-4435
- https://bugzilla.redhat.com/show_bug.cgi?id=2262284
- https://github.com/yarnpkg/yarn/releases/tag/v1.22.13
- https://github.com/advisories/GHSA-mpwj-fcr6-x34c
Blast Radius: 37.9
Affected Packages
npm:yarn
Dependent packages: 3,296Dependent repositories: 71,861
Downloads: 23,142,286 last month
Affected Version Ranges: < 1.22.13
Fixed in: 1.22.13
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.15.1, 0.16.0, 0.16.1, 0.17.0, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.17.6, 0.17.7, 0.17.8, 0.17.9, 0.17.10, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.19.1, 0.20.0, 0.20.3, 0.20.4, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.27.5, 0.28.1, 0.28.4, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.2.1, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.9.1, 1.9.2, 1.9.4, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.3, 1.13.0, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.18.0, 1.19.0, 1.19.1, 1.19.2, 1.21.0, 1.21.1, 1.22.0, 1.22.1, 1.22.4, 1.22.5, 1.22.6, 1.22.7, 1.22.8, 1.22.9, 1.22.10, 1.22.11, 1.22.12
All unaffected versions: 1.22.13, 1.22.14, 1.22.15, 1.22.16, 1.22.17, 1.22.18, 1.22.19, 1.22.20, 1.22.21, 1.22.22, 2.4.3