Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://hackerone.com/reports/640904

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Related Vulnerabilities

CVE-2022-38900 Vulnerability in npm package decode-uri-component

CVE-2019-18213 Vulnerability in maven package org.lsp4xml:lsp4xml-extensions

CVE-2021-39167 Vulnerability in npm package @openzeppelin/contracts

CVE-2021-43309 Vulnerability in npm package uri-template-lite

CVE-2019-20364 Vulnerability in maven package org.igniterealtime.openfire:xmppserver

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Permissions Required Vendor Advisory