CVE-2019-5448 Vulnerability in npm package yarn

Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://hackerone.com/reports/640904

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Related Vulnerabilities

CVE-2020-28277 Vulnerability in maven package org.webjars.npm:dset

CVE-2023-22465 Vulnerability in maven package org.http4s:http4s-core

CVE-2019-5416 Vulnerability in npm package localhost-now

CVE-2021-24033 Vulnerability in npm package react-dev-utils

CVE-2020-36181 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H