CVE-2019-5448

Summary

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Affected Software

VendorProductVersion RangeStatus
yarnyarnFixed in 1.17.3affected

Weaknesses

  • CWE-311: Missing Encryption of Sensitive Data (CWE-311)

ADP Enrichment

CVE Program Container

Additional References

References