Main Vulnerability Database Vulnerabilities #VU30976

#VU30976 Cryptographic issues in yarn - CVE-2019-5448

Published: July 30, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30976

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-5448

CWE-ID: CWE-310

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
yarn

Software vendor:
Yarn

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Remediation

Install update from vendor's website.

External links

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://hackerone.com/reports/640904
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/