CVE-2021-4435

2024-02-0420:15:45

CWE-426

fedora

web.nvd.nist.gov

cve-2021-4435

yarn

vulnerability

nvd

search path

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

19.7%

JSON

An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.

Affected configurations

Nvd

Node

yarnpkgyarnRange<1.22.13

VendorProductVersionCPE
yarnpkgyarn*cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
yarnpkg	yarn	*	cpe:2.3:a:yarnpkg:yarn::::::::

CNA Affected

[
  {
    "product": "yarn",
    "vendor": "n/a",
    "versions": [
      {
        "version": "1.22.13",
        "status": "unaffected"
      }
    ]
  },
  {
    "product": "Fedora",
    "vendor": "Fedora",
    "collectionURL": "https://packages.fedoraproject.org/",
    "packageName": "yarnpkg",
    "defaultStatus": "unaffected"
  },
  {
    "product": "Extra Packages for Enterprise Linux",
    "vendor": "Fedora",
    "collectionURL": "https://packages.fedoraproject.org/",
    "packageName": "yarnpkg",
    "defaultStatus": "unaffected"
  }
]