CVE-2021-4435 (High) detected in yarn-1.22.10.tgz

Question

CVE-2021-4435 (High) detected in yarn-1.22.10.tgz

Opened this issue 10 months ago · 0 comments

mend-bolt-for-github commented 10 months ago

CVE-2021-4435 - High Severity Vulnerability

Vulnerable Library - yarn-1.22.10.tgz

?? Fast, reliable, and secure dependency management.

Library home page: https://registry.npmjs.org/yarn/-/yarn-1.22.10.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/yarn/package.json

Dependency Hierarchy:

❌ yarn-1.22.10.tgz (Vulnerable Library)

Found in HEAD commit: 15048d5839b48ae3c1b3243e53f079bbd420762a

Found in base branch: master

Vulnerability Details

An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.

Publish Date: 2024-02-04

URL: CVE-2021-4435

CVSS 3 Score Details (7.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-02-04

Fix Resolution: 1.22.13

Step up your Open Source Security Game with Mend here