HIGH8.1
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:NCVSS 3.xHIGH 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
- https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
- https://hackerone.com/reports/640904
- https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
- https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
- https://hackerone.com/reports/640904
- https://yarnpkg.com/blog/2019/07/12/recommended-security-update/