CVE-2018-12556

Sažetak

The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.

Reference

http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
http://seclists.org/fulldisclosure/2019/Apr/38
https://github.com/RUB-NDS/Johnny-You-Are-Fired
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
https://github.com/yarnpkg/website/commits/master
https://www.openwall.com/lists/oss-security/2019/04/30/4

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

21-05-2019 - 14:03

Objavljeno

16-05-2019 - 17:29