Detections
Analytics

CVE-2018-12556

medium

Description

The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.

References

https://www.openwall.com/lists/oss-security/2019/04/30/4

https://github.com/yarnpkg/website/commits/master

https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf

https://github.com/RUB-NDS/Johnny-You-Are-Fired

http://seclists.org/fulldisclosure/2019/Apr/38

http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html

Details

Source: Mitre, NVD

Published: 2019-05-16

Updated: 2019-05-21

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: Medium

EPSS

EPSS: 0.0034