Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2019-15608
CVE-2019-15608:
JavaScript vulnerability analysis and mitigation
Overview
The package integrity validation in yarn < 1.19.0 contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability where the hash is computed before writing a package to cache. This vulnerability was assigned CVE-2019-15608 and affects yarn versions prior to 1.19.0 (NVD).
Technical details
The vulnerability exists in the package integrity validation process where there is a race condition between the time when the hash is checked and when the package is written to cache. This TOCTOU issue could potentially allow the package contents to be modified between the check and use phases (Yarn Changelog).
Impact
The vulnerability could potentially lead to security feature bypass, allowing an attacker to manipulate package contents between validation and caching phases. This could compromise the integrity of packages being installed through yarn.
Mitigation and workarounds
The vulnerability was fixed in yarn version 1.19.0. Users should upgrade to version 1.19.0 or later to receive the security fix (Yarn Changelog).
Additional resources
Source: This report was generated using AI
Related JavaScript vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management