CVE-2018-12556

{"id": "CVE-2018-12556", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2019-05-16T17:29:00.730", "references": [{"url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html", "tags": ["VDB Entry", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2019/Apr/38", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/yarnpkg/website/commits/master", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.openwall.com/lists/oss-security/2019/04/30/4", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key."}, {"lang": "es", "value": "La rutina de verificaci\u00f3n de firma en install.sh en yarnpkg / website hasta 06-05-2018 solo verifica que la versi\u00f3n Yarn est\u00e9 firmada por cualquier clave (arbitraria) en el llavero local del usuario, y no fija la firma en la clave de la versi\u00f3n Yarn, que permite a los atacantes remotos firmar paquetes de la versi\u00f3n Yarn manipulados con su propia clave."}], "lastModified": "2019-05-21T14:03:11.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yarnpkg:website:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34017A12-CF2F-4F6C-9713-8B44867FF171", "versionEndIncluding": "2018-06-05"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}