Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://hackerone.com/reports/640904

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Related Vulnerabilities

CVE-2021-31635 Vulnerability in maven package com.jfinal:jfinal

CVE-2022-34114 Vulnerability in maven package io.dataease:dataease-plugin-common

CVE-2020-8141 Vulnerability in maven package org.webjars.bowergithub.olado:dot

CVE-2021-27290 Vulnerability in npm package ssri

CVE-2023-24815 Vulnerability in maven package io.vertx:vertx-web

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Permissions Required Vendor Advisory