CVE-2018-12556

NONE EPSS 75.4%
Published May 16, 20197y ago · Modified Jun 17, 20262w ago
Find Similar
Published May 16, 2019 7y ago
Last Modified Jun 17, 2026 2w ago

Description

The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.

Threat Intelligence

EPSS Exploit Probability
75.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-347

Affected Products 1

VendorProductVersionRange
yarnpkgwebsite* ≤2018-06-05

References 6

  • packetstormsecurity.com http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
    Third Party AdvisoryVDB Entry
  • seclists.org http://seclists.org/fulldisclosure/2019/Apr/38
    Mailing ListThird Party Advisory
  • github.com https://github.com/RUB-NDS/Johnny-You-Are-Fired
    Third Party Advisory
  • github.com https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
    Third Party Advisory
  • github.com https://github.com/yarnpkg/website/commits/master
    Third Party Advisory
  • openwall.com https://www.openwall.com/lists/oss-security/2019/04/30/4
    Mailing ListThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.