Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://hackerone.com/reports/640904

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Related Vulnerabilities

CVE-2022-23647 Vulnerability in npm package prismjs

CVE-2019-19040 Vulnerability in maven package org.kairosdb:kairosdb

CVE-2023-29526 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-async-api

CVE-2020-26237 Vulnerability in npm package highlight.js

CVE-2021-32824 Vulnerability in maven package org.apache.dubbo:dubbo-common

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Permissions Required Vendor Advisory