Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://hackerone.com/reports/640904

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Related Vulnerabilities

CVE-2023-26149 Vulnerability in npm package quill-mention

CVE-2022-4640 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2020-36320 Vulnerability in maven package com.vaadin:vaadin-server

CVE-2020-5497 Vulnerability in maven package org.mitre:openid-connect-server-webapp

CVE-2021-29262 Vulnerability in maven package org.apache.solr:solr-core

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Permissions Required Vendor Advisory