CVE-2019-5448

EPSS 0.7%CWE-311

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Produtos afetados

yarn · yarn

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md https://hackerone.com/reports/640904 https://yarnpkg.com/blog/2019/07/12/recommended-security-update/