Description

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

References

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md

https://hackerone.com/reports/640904

https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Related Vulnerabilities

CVE-2020-8137 Vulnerability in npm package uppy

CVE-2022-36007 Vulnerability in maven package com.github.jlangch:venice

CVE-2015-1427 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2017-16130 Vulnerability in npm package exxxxxxxxxxx

CVE-2021-25864 Vulnerability in npm package node-red-contrib-huemagic

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Permissions Required Vendor Advisory