Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://hackerone.com/reports/640904

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Related Vulnerabilities

CVE-2021-32685 Vulnerability in npm package tenvoy

CVE-2023-33510 Vulnerability in maven package org.jeecgframework.p3:jeecg-p3-biz-chat

CVE-2021-38296 Vulnerability in maven package org.apache.spark:spark-core

CVE-2020-7684 Vulnerability in npm package rollup-plugin-serve

CVE-2019-10792 Vulnerability in npm package bodymen

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Permissions Required Vendor Advisory