Vulnerabilites related to yarn - yarn
CVE-2019-5448 (GCVE-0-2019-5448)
Vulnerability from cvelistv5
Published
2019-07-30 20:15
Modified
2024-08-04 19:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-311 - Missing Encryption of Sensitive Data ()
Summary
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:54:53.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/640904"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "yarn",
"vendor": "yarn",
"versions": [
{
"status": "affected",
"version": "Fixed in 1.17.3"
}
]
}
],
"datePublic": "2019-07-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "Missing Encryption of Sensitive Data (CWE-311)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-30T20:15:57",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/640904"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-5448",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "yarn",
"version": {
"version_data": [
{
"version_value": "Fixed in 1.17.3"
}
]
}
}
]
},
"vendor_name": "yarn"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Encryption of Sensitive Data (CWE-311)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/640904",
"refsource": "MISC",
"url": "https://hackerone.com/reports/640904"
},
{
"name": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md",
"refsource": "MISC",
"url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
},
{
"name": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/",
"refsource": "CONFIRM",
"url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2019-5448",
"datePublished": "2019-07-30T20:15:57",
"dateReserved": "2019-01-04T00:00:00",
"dateUpdated": "2024-08-04T19:54:53.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}