Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://hackerone.com/reports/640904

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Related Vulnerabilities

CVE-2022-24279 Vulnerability in npm package madlib-object-utils

CVE-2018-20094 Vulnerability in maven package com.xuxueli:xxl-conf

CVE-2021-31412 Vulnerability in maven package com.vaadin:flow-server

CVE-2020-7714 Vulnerability in npm package confucious

CVE-2022-1233 Vulnerability in maven package org.webjars.bower:urijs

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Permissions Required Vendor Advisory