CVE-2019-15608: Time-of-check Time-of-use (TOCTOU) Race Condition

March 15, 2020 (updated March 21, 2020)

The package integrity validation in yarn contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It’s not computed again when reading from the cache. This may lead to a cache pollution attack.

References

nvd.nist.gov/vuln/detail/CVE-2019-15608

Detect and mitigate CVE-2019-15608 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →