CVE-2019-5448

Sažetak

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Reference

https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
https://hackerone.com/reports/640904

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

03-11-2021 - 18:27

Objavljeno

30-07-2019 - 21:15