Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

1 vulnerability by yarn

CVE-2019-5448 (GCVE-0-2019-5448)

Vulnerability from cvelistv5 – Published: 2019-07-30 20:15 – Updated: 2024-08-04 19:54
VLAI
Summary
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Severity
No CVSS data available.
CWE
  • CWE-311 - Missing Encryption of Sensitive Data (CWE-311)
Assigner
References
Impacted products
Vendor Product Version
yarn yarn Affected: Fixed in 1.17.3
Create a notification for this product.
Date Public
2019-07-12 00:00
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:54:53.646Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/640904"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "yarn",
          "vendor": "yarn",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in 1.17.3"
            }
          ]
        }
      ],
      "datePublic": "2019-07-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-311",
              "description": "Missing Encryption of Sensitive Data (CWE-311)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-30T20:15:57.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/640904"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2019-5448",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "yarn",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in 1.17.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "yarn"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Missing Encryption of Sensitive Data (CWE-311)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/640904",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/640904"
            },
            {
              "name": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md",
              "refsource": "MISC",
              "url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
            },
            {
              "name": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/",
              "refsource": "CONFIRM",
              "url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2019-5448",
    "datePublished": "2019-07-30T20:15:57.000Z",
    "dateReserved": "2019-01-04T00:00:00.000Z",
    "dateUpdated": "2024-08-04T19:54:53.646Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}