Signature Verification Flaw in Yarnpkg's Website Allows Signing of Tampered Packages
CVE-2018-12556

5.9MEDIUM

Key Information:

Vendor

Yarnpkg

Status
Website
Vendor
CVE Published:
16 May 2019

What is CVE-2018-12556?

The signature verification mechanism in the install.sh script of Yarnpkg's website permits any key from the local user keyring to verify yarn release signatures. This lack of strict verification allows remote attackers to create and sign malicious yarn packages, leading to the risk of software compromise when these tampered releases are installed.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/yarnpkg/website/commits/master
x_refsource_MISC
http://seclists.org/fulldisclosure/2019/Apr/38
mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/152703/Johnny-You-Ar...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.