CVE-2019-15608 - OpenCVE

The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Yarnpkg	Yarn

Configuration 1 [-]

cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
https://hackerone.com/reports/703138	Exploit Mitigation Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2020-03-15T17:08:13

Updated: 2020-03-21T00:21:41

Reserved: 2019-08-26T00:00:00

Link: CVE-2019-15608

JSON object: View

NVD Information

Status : Modified

Published: 2020-03-15T18:15:11.177

Modified: 2020-03-21T01:15:12.023

Link: CVE-2019-15608

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "yarn", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 1.19.0"}]}], "descriptions": [{"lang": "en", "value": "The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-840", "description": "Business Logic Errors (CWE-840)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-21T00:21:41", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/703138"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-15608", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "yarn", "version": {"version_data": [{"version_value": "Fixed in 1.19.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Business Logic Errors (CWE-840)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/703138", "refsource": "MISC", "url": "https://hackerone.com/reports/703138"}, {"name": "https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c", "refsource": "MISC", "url": "https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c"}, {"name": "https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190", "refsource": "MISC", "url": "https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-15608", "datePublished": "2020-03-15T17:08:13", "dateReserved": "2019-08-26T00:00:00", "dateUpdated": "2020-03-21T00:21:41", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*", "matchCriteriaId": "4DDD3216-66F9-4D89-8F92-4EA44E02529F", "versionEndExcluding": "1.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack."}, {"lang": "es", "value": "La comprobaci\u00f3n de integridad del paquete en yarn versiones anteriores a 1.19.0, contiene una vulnerabilidad TOCTOU donde se calcula el hash antes de escribir un paquete en cach\u00e9. No se vuelve a calcular cuando se lee desde la cach\u00e9. Esto puede conllevar a un ataque de contaminaci\u00f3n de cach\u00e9."}], "id": "CVE-2019-15608", "lastModified": "2020-03-21T01:15:12.023", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-15T18:15:11.177", "references": [{"source": "support@hackerone.com", "url": "https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190"}, {"source": "support@hackerone.com", "url": "https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://hackerone.com/reports/703138"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-840"}], "source": "support@hackerone.com", "type": "Secondary"}]}