HIGH 8.1

GHSA-wqfc-cr59-h64p

Missing Encryption of Sensitive Data in yarn

Details

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / yarn

Introduced in: 0 Fixed in: 1.17.3

Fix npm install yarn@1.17.3

References

https://nvd.nist.gov/vuln/detail/CVE-2019-5448 [ADVISORY]
https://hackerone.com/reports/640904 [WEB]
https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md [WEB]
https://yarnpkg.com/blog/2019/07/12/recommended-security-update [WEB]