CVE-2019-10773

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-10773
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10773.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-10773
Aliases
Downstream
Related
  • SNYK-JS-YARN-537806,
Published
2019-12-16T20:15:14.477Z
Modified
2026-02-06T04:09:37.689794Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.

References

Affected packages

Git / github.com/yarnpkg/yarn

Affected ranges

Type
GIT
Repo
https://github.com/yarnpkg/yarn
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
039bafd74b7b1a88a53a54f8fa6fa872615e90e7

Affected versions

0.*
0.4.0
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.5.0
0.6.0
0.6.1
Other
pre-release
v0.*
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.15.1
v0.17.0
v0.17.0-0
v0.18.0
v0.18.0-0
v0.19.0
v0.19.0-0
v0.20.0
v0.20.0-0
v0.21.0
v0.21.0-pre
v0.22.0
v0.23.0
v0.25.0
v0.26.0
v0.27.0
v0.28.0
v0.7.0
v0.7.1
v0.8.0
v0.9.0
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.19.0
v1.2.0
v1.2.1
v1.21.0
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.4.1
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10773.json"