CVE-2019-5448
HIGHYarn < 1.17.3 - Cleartext Transmission of Sensitive Information via HTTP URLs in Lockfile
Title source: llmDescription
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
References (3)
Core 3
Core References
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/640904
Exploit, Third Party Advisory x_refsource_misc
https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
Vendor Advisory x_refsource_confirm
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
Scores
CVSS v3
8.1
EPSS
0.0067
EPSS Percentile
46.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-319
CWE-311
Status
published
Products (2)
npm/yarn
0 - 1.17.3npm
yarnpkg/yarn
< 1.17.3
Published
Jul 30, 2019
Tracked Since
Feb 18, 2026