#VU30976 Cryptographic issues in yarn
Vulnerability identifier: #VU30976
Vulnerability risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-310
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
yarn
Web applications /
Modules and components for CMS
Vendor: Yarn
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Mitigation
Install update from vendor's website.
Vulnerable software versions
yarn: 1.17.0 - 1.17.2
External links
http://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
http://hackerone.com/reports/640904
http://yarnpkg.com/blog/2019/07/12/recommended-security-update/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
