CVE-2021-4435 Yarn: untrusted search path

2024-02-0419:16:35

CWE-426

fedora

www.cve.org

yarn

untrusted search path

vulnerability

cve-2021-4435

CVSS3

7.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

19.7%

JSON

An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.

CNA Affected

[
  {
    "product": "yarn",
    "vendor": "n/a",
    "versions": [
      {
        "version": "1.22.13",
        "status": "unaffected"
      }
    ]
  },
  {
    "product": "Fedora",
    "vendor": "Fedora",
    "collectionURL": "https://packages.fedoraproject.org/",
    "packageName": "yarnpkg",
    "defaultStatus": "unaffected"
  },
  {
    "product": "Extra Packages for Enterprise Linux",
    "vendor": "Fedora",
    "collectionURL": "https://packages.fedoraproject.org/",
    "packageName": "yarnpkg",
    "defaultStatus": "unaffected"
  }
]