CVE-2019-5448

EPSS 0.7%CWE-311

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Productos afectados

yarn · yarn

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md https://hackerone.com/reports/640904 https://yarnpkg.com/blog/2019/07/12/recommended-security-update/