CVE-2019-15608
MEDIUM EPSS 75.5%
Published Mar 15, 20206y ago · Modified Jun 17, 20262w ago
5.9 CVSS 3.1
Published Mar 15, 2020 6y ago
Last Modified Jun 17, 2026 2w ago
Description
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
75.5% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 2
CWE-367
CWE-840
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| yarnpkg | yarn | * | <1.19.0 |
References 3
- github.com https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
- github.com https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
- hackerone.com https://hackerone.com/reports/703138
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.