CVE-2020-8131
HIGH severity · CVSS 7.5 · Path traversal
7.5CVSS HIGH
Summary
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges requiredNone
User interactionRequired
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)5%
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://github.com/yarnpkg/yarn/pull/7831 ↗