CVE-2018-12556
NONE EPSS 75.4%
Published May 16, 20197y ago · Modified Jun 17, 20262w ago
Published May 16, 2019 7y ago
Last Modified Jun 17, 2026 2w ago
Description
The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.
Threat Intelligence
EPSS Exploit Probability
75.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-347
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| yarnpkg | website | * | ≤2018-06-05 |
References 6
- packetstormsecurity.com http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
- seclists.org http://seclists.org/fulldisclosure/2019/Apr/38
- github.com https://github.com/RUB-NDS/Johnny-You-Are-Fired
- github.com https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
- github.com https://github.com/yarnpkg/website/commits/master
- openwall.com https://www.openwall.com/lists/oss-security/2019/04/30/4
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.