Main Vulnerability Database Vulnerabilities #VU30976

Cryptographic issues in yarn - CVE-2019-5448

Published: July 30, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30976

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-5448

CWE-ID: CWE-310

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Yarn

Affected software:
yarn

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

How to mitigate CVE-2019-5448

Install update from vendor's website.

Sources

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://hackerone.com/reports/640904
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/

Cryptographic issues in yarn - CVE-2019-5448

Detailed vulnerability description

How to mitigate CVE-2019-5448

Sources

Please verify you're human