CVE-2019-15608

The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
Configurations

Configuration 1

cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*

Information

Published : 2020-03-15 06:15

Updated : 2020-03-21 01:15


NVD link : CVE-2019-15608

Mitre link : CVE-2019-15608

Products Affected
No products.
CWE