CVE-2019-5448

HIGH8.1EPSS 0.11%

Missing Encryption of Sensitive Data in yarn

發布日:2019/7/31修改日:2023/11/8

也稱為:GHSA-wqfc-cr59-h64pDEBIAN-CVE-2019-5448

描述

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

受影響套件(2)

Debian/node-yarnpkgfrom 0, < 1.13.0-3
npm/yarnfrom 0, < 1.17.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-5448
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-5448
WEBhttps://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
WEBhttps://hackerone.com/reports/640904
WEBhttps://yarnpkg.com/blog/2019/07/12/recommended-security-update