CVE-2020-8131
HIGHYarn < 1.22.0 - Arbitrary Filesystem Write via Malicious Package Installation
Title source: llmDescription
Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/730239
Patch, Third Party Advisory x_refsource_confirm
https://github.com/yarnpkg/yarn/pull/7831
Scores
CVSS v3
7.5
EPSS
0.0503
EPSS Percentile
91.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (2)
npm/yarn
0 - 1.22.0npm
yarnpkg/yarn
< 1.21.1
Published
Feb 24, 2020
Tracked Since
Feb 18, 2026