An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.
References
Link | Resource |
---|---|
https://access.redhat.com/security/cve/CVE-2021-4435 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2262284 | Issue Tracking |
https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1 | Patch |
https://github.com/yarnpkg/yarn/releases/tag/v1.22.13 | Release Notes |
https://access.redhat.com/security/cve/CVE-2021-4435 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2262284 | Issue Tracking |
https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1 | Patch |
https://github.com/yarnpkg/yarn/releases/tag/v1.22.13 | Release Notes |
Configurations
History
21 Nov 2024, 06:37
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.7 |
References | () https://access.redhat.com/security/cve/CVE-2021-4435 - Third Party Advisory | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=2262284 - Issue Tracking | |
References | () https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1 - Patch | |
References | () https://github.com/yarnpkg/yarn/releases/tag/v1.22.13 - Release Notes |
13 Feb 2024, 00:38
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1 - Patch | |
References | () https://access.redhat.com/security/cve/CVE-2021-4435 - Third Party Advisory | |
References | () https://github.com/yarnpkg/yarn/releases/tag/v1.22.13 - Release Notes | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=2262284 - Issue Tracking | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
First Time |
Yarnpkg
Yarnpkg yarn |
|
CWE | CWE-426 | |
CPE | cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:* |
04 Feb 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-04 20:15
Updated : 2024-11-21 06:37
NVD link : CVE-2021-4435
Mitre link : CVE-2021-4435
CVE.ORG link : CVE-2021-4435
JSON object : View
Products Affected
yarnpkg
- yarn
CWE
CWE-426
Untrusted Search Path