GHSA-8mfc-v7wv-p62g

Source

https://github.com/advisories/GHSA-8mfc-v7wv-p62g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-8mfc-v7wv-p62g/GHSA-8mfc-v7wv-p62g.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-8mfc-v7wv-p62g

Aliases

CVE-2020-8131

Published

2022-02-09T22:43:37Z

Modified

2023-11-01T04:53:42.784850Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Path Traversal in Yarn

Details

Arbitrary filesystem write vulnerability in Yarn 1.21.1 and earlier allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed_at": "2021-04-08T20:35:01Z",
    "github_reviewed": true,
    "nvd_published_at": "2020-02-24T15:15:00Z",
    "severity": "HIGH"
}

References

Affected packages

npm / yarn

Package

Name: yarn; View open source insights on deps.dev
Purl: pkg:npm/yarn

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.22.0

Database specific

last_known_affected_version_range

"<= 1.21.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-8mfc-v7wv-p62g/GHSA-8mfc-v7wv-p62g.json"