{"containers": {"cna": {"affected": [{"product": "yarn", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed Version: 1.22.0"}]}], "descriptions": [{"lang": "en", "value": "Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Path Traversal (CWE-22)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-28T19:29:35", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/730239"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yarnpkg/yarn/pull/7831"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8131", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "yarn", "version": {"version_data": [{"version_value": "Fixed Version: 1.22.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Path Traversal (CWE-22)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/730239", "refsource": "MISC", "url": "https://hackerone.com/reports/730239"}, {"name": "https://github.com/yarnpkg/yarn/pull/7831", "refsource": "CONFIRM", "url": "https://github.com/yarnpkg/yarn/pull/7831"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:25.635Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/730239"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/yarnpkg/yarn/pull/7831"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8131", "datePublished": "2020-02-24T14:41:23", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2024-08-04T09:48:25.635Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABF332FA-DFF6-4F4E-A531-937B2907B6A3", "versionEndIncluding": "1.21.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package."}, {"lang": "es", "value": "La vulnerabilidad de escritura arbitraria del sistema de archivos en Yarn antes de 1.22.0 permite a los atacantes escribir en cualquier ruta en el sistema de archivos y potencialmente conducir a la ejecuci\u00f3n de c\u00f3digo arbitrario al obligar al usuario a instalar un paquete malicioso."}], "id": "CVE-2020-8131", "lastModified": "2020-03-24T14:47:04.697", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-24T15:15:12.020", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/yarnpkg/yarn/pull/7831"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/730239"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/clair-rhel8:v3.4.0-25", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-bridge-operator-bundle:v3.4.0-3", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-bridge-operator-rhel8:v3.4.0-17", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-builder-qemu-rhcos-rhel8:v3.4.0-17", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-builder-rhel8:v3.4.0-18", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-container-security-operator-bundle:v3.4.0-2", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-container-security-operator-rhel8:v3.4.0-2", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-openshift-bridge-rhel8-operator:v3.4.0-17", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-operator-bundle:v3.4.0-89", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-operator-rhel8:v3.4.0-132", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}, {"advisory": "RHSA-2021:0420", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-rhel8:v3.4.0-51", "product_name": "Red Hat Quay 3", "release_date": "2021-02-04T00:00:00Z"}], "bugzilla": {"description": "yarn: Arbitrary filesystem write via tar expansion", "id": "1816261", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816261"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-77", "details": ["Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.", "An arbitrary file write flaw was found in Yarn. This flaw allows an attacker to write files to a user\u2019s system in unexpected places, potentially leading to remote code execution. The attacker would need to first trick a developer into installing a malicious package."], "name": "CVE-2020-8131", "public_date": "2020-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8131\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8131"], "statement": "Normally yarn allows packages to run postinstall scripts which can write arbitrary files to the users system. This vulnerability allows an attacker to better hide the attack and also allow arbitrary file write when postinstall scripts are disabled with the '--ignore-scripts' option of 'yarn install'.", "threat_severity": "Moderate", "upstream_fix": "yarn 1.22"}