org.webjars.npm:yarn@1.22.19 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:yarn package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Arbitrary File Overwrite

org.webjars.npm:yarn is a package for dependency management.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. It is possible for a malicious package, upon install, to write to any path on the filesystem even when the --ignore-scripts option is set. This occurs due to symlinks not being correctly unpacked as part of the Yarn install process.

How to fix Arbitrary File Overwrite?

Upgrade org.webjars.npm:yarn to version 2.0.0-rc.27 or higher.

[,2.0.0-rc.27)
  • L
Arbitrary File Write

org.webjars.npm:yarn is a package for dependency management.

Affected versions of this package are vulnerable to Arbitrary File Write. The package install functionality can be abused to generate arbitrary symlinks on the host filesystem by using specially crafted bin keys. Existing files could be overwritten depending on the current user permission set.

How to fix Arbitrary File Write?

Upgrade org.webjars.npm:yarn to version 2.0.0-rc.27 or higher.

[,2.0.0-rc.27)
  • H
Man-in-the-Middle (MitM)

org.webjars.npm:yarn is a package for dependency management.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). Npm credentials such as _authToken were found to be sent over clear text when processing scoped packages that are listed as resolved. This could allow a suitably positioned attacker to eavesdrop and compromise the sent credentials.

How to fix Man-in-the-Middle (MitM)?

Upgrade org.webjars.npm:yarn to version 2.0.0-rc.27 or higher.

[,2.0.0-rc.27)