Bug 1219487 (CVE-2021-4435)

Summary: VUL-0: CVE-2021-4435: yarn: untrusted search path
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: OtherAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: andrea.mattiazzo
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/392751/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-02 09:25:27 UTC 
When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4435
https://bugzilla.redhat.com/show_bug.cgi?id=2262284

Patch:
https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1
Comment 1 Andrea Mattiazzo 2024-02-02 09:25:55 UTC 
Closed since affects only windows.