CVE-2019-15608

The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*

Information

Published : 2020-03-15 11:15

Updated : 2020-03-20 18:15


NVD link : CVE-2019-15608

Mitre link : CVE-2019-15608


JSON object : View

CWE
CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

Advertisement

dedicated server usa

Products Affected

yarnpkg

  • yarn