CVE-2018-12556

low-risk

Published 2019-05-16

The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.

Do I need to act?

0.34% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Website

Affected Vendors

Yarnpkg

References (12)

Third Party Advisory http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html

Mailing List http://seclists.org/fulldisclosure/2019/Apr/38

Third Party Advisory https://github.com/RUB-NDS/Johnny-You-Are-Fired

Third Party Advisory https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.p...

Third Party Advisory https://github.com/yarnpkg/website/commits/master

Mailing List https://www.openwall.com/lists/oss-security/2019/04/30/4

Third Party Advisory http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html

Mailing List http://seclists.org/fulldisclosure/2019/Apr/38

Third Party Advisory https://github.com/RUB-NDS/Johnny-You-Are-Fired

Third Party Advisory https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.p...

Third Party Advisory https://github.com/yarnpkg/website/commits/master

Mailing List https://www.openwall.com/lists/oss-security/2019/04/30/4

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal