CVE-2019-10773

EUVD-2020-0291
In Yarn before 1.21.1, the package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted "bin" keys. Existing files could be overwritten depending on the current user permission set.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
Affected Products (NVD)
VendorProductVersion
yarnpkgyarn
𝑥
< 1.21.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-yarnpkg
bookworm
1.22.19+~cs24.27.18-2+deb12u1
fixed
bullseye
1.22.10+~cs22.25.14-3
fixed
buster
no-dsa
sid
4.0.2+dfsg-3
fixed
trixie
4.0.2+dfsg-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-yarnpkg
bionic
dne
disco
ignored
eoan
ignored
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2020:0475
https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/
https://snyk.io/vuln/SNYK-JS-YARN-537806%2C
https://access.redhat.com/errata/RHSA-2020:0475
https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/
https://snyk.io/vuln/SNYK-JS-YARN-537806%2C