4 matches found
CVE-2019-15608
The CVE-2019-15608 issue is a TOCTOU race condition in Yarn where the package hash is computed before writing to the cache and not recomputed on read, enabling potential cache pollution. Connected sources confirm this affects Yarn versions older than 1.19.0 and that a fix exists in 1.19.0. Photon...
CVE-2019-10773
The CVE-2019-10773 issue affects Yarn prior to 1.21.1, where the package install functionality can be abused via specially crafted bin keys to generate arbitrary symlinks on the host filesystem. This can lead to existing files being overwritten depending on user permissions. The vulnerability ste...
CVE-2019-5448
CVE-2019-5448 affects Yarn; the vulnerability arises from HTTP URLs in a Yarn lockfile that can cause unencrypted authentication data to be transmitted. The connected advisories confirm Photon OS and Nessus plugins flag Yarn as affected and advise updating the Yarn package to mitigate. The exact ...
CVE-2021-4435
CVE-2021-4435 describes an untrusted search path vulnerability in Yarn. The issue can allow execution of malicious commands when a victim runs certain Yarn commands in a directory containing attacker-controlled content. Impact details in the NVD entry show a high-severity, local attack with requi...