ALT-PU-2019-2452-1
Closed vulnerabilities
Published: 2019-07-31
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2019-5448
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Severity: HIGH (8.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
- https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
- https://hackerone.com/reports/640904
- https://hackerone.com/reports/640904
- https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
- https://yarnpkg.com/blog/2019/07/12/recommended-security-update/