Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://hackerone.com/reports/640904

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Related Vulnerabilities

CVE-2020-8129 Vulnerability in npm package script-manager

CVE-2018-1000136 Vulnerability in npm package electron

CVE-2012-5784 Vulnerability in maven package axis:axis

CVE-2018-16459 Vulnerability in maven package org.webjars.npm:exceljs

CVE-2022-41929 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

Severity

Critical

Classification

CWE-311 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Permissions Required Vendor Advisory