Search criteria
1 vulnerability by yarn
CVE-2019-5448 (GCVE-0-2019-5448)
Vulnerability from cvelistv5 – Published: 2019-07-30 20:15 – Updated: 2024-08-04 19:54
VLAI
Summary
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Severity
No CVSS data available.
CWE
- CWE-311 - Missing Encryption of Sensitive Data (CWE-311)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/640904 | x_refsource_MISC |
| https://github.com/ChALkeR/notes/blob/master/Yarn… | x_refsource_MISC |
| https://yarnpkg.com/blog/2019/07/12/recommended-s… | x_refsource_CONFIRM |
Date Public
2019-07-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:54:53.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/640904"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "yarn",
"vendor": "yarn",
"versions": [
{
"status": "affected",
"version": "Fixed in 1.17.3"
}
]
}
],
"datePublic": "2019-07-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "Missing Encryption of Sensitive Data (CWE-311)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-30T20:15:57.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/640904"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-5448",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "yarn",
"version": {
"version_data": [
{
"version_value": "Fixed in 1.17.3"
}
]
}
}
]
},
"vendor_name": "yarn"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Encryption of Sensitive Data (CWE-311)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/640904",
"refsource": "MISC",
"url": "https://hackerone.com/reports/640904"
},
{
"name": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md",
"refsource": "MISC",
"url": "https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"
},
{
"name": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/",
"refsource": "CONFIRM",
"url": "https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2019-5448",
"datePublished": "2019-07-30T20:15:57.000Z",
"dateReserved": "2019-01-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T19:54:53.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}