CVE-2019-5448 – yarn

Package

Manager: npm
Name: yarn
Vulnerable Version: >=0 <1.17.3

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00107 pctl0.29575

Details

Missing Encryption of Sensitive Data in yarn Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Metadata

Created: 2019-07-31T04:22:15Z
Modified: 2021-08-17T19:40:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-wqfc-cr59-h64p/GHSA-wqfc-cr59-h64p.json
CWE IDs: ["CWE-311", "CWE-319"]
Alternative ID: GHSA-wqfc-cr59-h64p
Finding: F020
Auto approve: 1