Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://hackerone.com/reports/640904

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Related Vulnerabilities

CVE-2023-45280 Vulnerability in maven package org.yamcs:yamcs-core

CVE-2022-2216 Vulnerability in npm package parse-url

CVE-2020-13954 Vulnerability in maven package org.apache.cxf:cxf-rt-transports-http

CVE-2023-34189 Vulnerability in maven package org.apache.inlong:manager-web

CVE-2022-45688 Vulnerability in maven package cn.hutool:hutool-json

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Permissions Required Vendor Advisory