Описание
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| node-yarnpkg | fixed | 1.13.0-3 | package | |
| node-yarnpkg | fixed | 1.13.0-1+deb10u1 | buster | package |
Примечания
https://hackerone.com/reports/640904
https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://github.com/yarnpkg/yarn/pull/7393
https://github.com/yarnpkg/yarn/commit/2f08a7405cc3f6fe47c30293050bb0ac94850932
Связанные уязвимости
CVSS3: 8.1
ubuntu
больше 6 лет назад
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
CVSS3: 8.1
nvd
больше 6 лет назад
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
