{
  "threat_severity" : "Moderate",
  "public_date" : "2020-02-14T00:00:00Z",
  "bugzilla" : {
    "description" : "yarn: Arbitrary filesystem write via tar expansion",
    "id" : "1816261",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1816261"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-77",
  "details" : [ "Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.", "An arbitrary file write flaw was found in Yarn. This flaw allows an attacker to write files to a user’s system in unexpected places, potentially leading to remote code execution. The attacker would need to first trick a developer into installing a malicious package." ],
  "statement" : "Normally yarn allows packages to run postinstall scripts which can write arbitrary files to the users system. This vulnerability allows an attacker to better hide the attack and also allow arbitrary file write when postinstall scripts are disabled with the '--ignore-scripts' option of 'yarn install'.",
  "affected_release" : [ {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/clair-rhel8:v3.4.0-25"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-bridge-operator-bundle:v3.4.0-3"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-bridge-operator-rhel8:v3.4.0-17"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-builder-qemu-rhcos-rhel8:v3.4.0-17"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-builder-rhel8:v3.4.0-18"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-container-security-operator-bundle:v3.4.0-2"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-container-security-operator-rhel8:v3.4.0-2"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-openshift-bridge-rhel8-operator:v3.4.0-17"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-operator-bundle:v3.4.0-89"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-operator-rhel8:v3.4.0-132"
  }, {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-02-04T00:00:00Z",
    "advisory" : "RHSA-2021:0420",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-rhel8:v3.4.0-51"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8131\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8131" ],
  "name" : "CVE-2020-8131",
  "csaw" : false
}