CVE-2020-8131

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

References

Affected packages

Git / github.com/yarnpkg/yarn

Affected ranges

Type

GIT

Repo

https://github.com/yarnpkg/yarn

Events

Introduced

Last affected

95186d5f61ea34de7be6c59b7cfb934cc3b31988

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.21.1"
        }
    ]
}

Affected versions

0.*

0.4.0

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.5.0

0.6.0

0.6.1

Other

pre-release

v0.*

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.15.1

v0.17.0

v0.17.0-0

v0.18.0

v0.18.0-0

v0.19.0

v0.19.0-0

v0.20.0

v0.20.0-0

v0.21.0

v0.21.0-pre

v0.22.0

v0.23.0

v0.25.0

v0.26.0

v0.27.0

v0.28.0

v0.7.0

v0.7.1

v0.8.0

v0.9.0

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.19.0

v1.2.0

v1.2.1

v1.21.0

v1.21.1

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.4.1

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8131.json"