Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhqeGMtNDYyeC14Nzdq
TOCTOU Race Condition in Yarn
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack. This issue is fixed in 1.19.0.
Permalink: https://github.com/advisories/GHSA-hjxc-462x-x77jJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhqeGMtNDYyeC14Nzdq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 8 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-hjxc-462x-x77j, CVE-2019-15608
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-15608
- https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
- https://hackerone.com/reports/703138
- https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
- https://github.com/advisories/GHSA-hjxc-462x-x77j
Blast Radius: 28.7
Affected Packages
npm:yarn
Dependent packages: 3,296Dependent repositories: 71,861
Downloads: 23,215,161 last month
Affected Version Ranges: < 1.19.0
Fixed in: 1.19.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.15.1, 0.16.0, 0.16.1, 0.17.0, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.17.6, 0.17.7, 0.17.8, 0.17.9, 0.17.10, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.19.1, 0.20.0, 0.20.3, 0.20.4, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.24.5, 0.24.6, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.26.0, 0.26.1, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.27.5, 0.28.1, 0.28.4, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.2.1, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.9.1, 1.9.2, 1.9.4, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.3, 1.13.0, 1.14.0, 1.15.0, 1.15.1, 1.15.2, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.18.0
All unaffected versions: 1.19.0, 1.19.1, 1.19.2, 1.21.0, 1.21.1, 1.22.0, 1.22.1, 1.22.4, 1.22.5, 1.22.6, 1.22.7, 1.22.8, 1.22.9, 1.22.10, 1.22.11, 1.22.12, 1.22.13, 1.22.14, 1.22.15, 1.22.16, 1.22.17, 1.22.18, 1.22.19, 1.22.20, 1.22.21, 1.22.22, 2.4.3