CVE-2019-5448 Vulnerability in npm package yarn

Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

https://hackerone.com/reports/640904

Related Vulnerabilities

CVE-2020-8203 Vulnerability in npm package lodash

CVE-2021-21636 Vulnerability in maven package org.jenkins-ci.plugins:tfs

CVE-2021-23371 Vulnerability in npm package chrono-node

CVE-2020-7641 Vulnerability in npm package grunt-util-property

CVE-2020-26939 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H