漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Turborepo: Unexpected local code execution during Yarn Berry detection
Vulnerability Description
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a project-controlled yarnPath from .yarnrc.yml. An attacker who controls repository contents could cause code execution when a user or CI system runs affected turbo, @turbo/codemod, or @turbo/workspace conversion commands. This vulnerability is fixed in 2.9.14.
CVSS Information
N/A
Vulnerability Type
不可信的搜索路径
Vulnerability Title
Turborepo 代码问题漏洞
Vulnerability Description
Turborepo是Vercel开源的一款高性能JavaScript和TypeScript构建系统。 Turborepo 1.1.0版本至2.9.14之前版本存在代码问题漏洞,该漏洞源于包管理器检测时执行yarn --version,可能导致加载恶意yarnPath配置,从而在不可信仓库中执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A