UBUNTU-CVE-2020-8131

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2020-8131

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-8131.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2020-8131

Upstream

CVE-2020-8131

Withdrawn

2025-07-18T16:45:44Z

Published

2020-02-24T15:15:00Z

Modified

2025-07-16T07:54:44.543638Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.

References

Affected packages

Ubuntu:20.04:LTS / node-yarnpkg

Package

Name: node-yarnpkg
Purl: pkg:deb/ubuntu/node-yarnpkg@1.22.4-2?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.22.4-2

Affected versions

1.*

1.13.0-1build1

1.13.0-3

1.19.1-1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "1.22.4-2",
            "binary_name": "yarnpkg"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-8131.json"