VDB
CVE-2019-5448
CVE-2019-5448
REJECTED
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
EPSS 0.11% · 28.5th percentile
Risk Scores
EPSS Score
0.11%
28.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | node-yarnpkg | 1.19.1-1, 1.13.0-1build1, 1.13.0-3 |
Exploit Intelligence
- https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md (nist-nvd)
- https://yarnpkg.com/blog/2019/07/12/recommended-security-update/ (circl)
- Yarn transfers npm credentials over unencrypted http connection (hackerone)
- Yarn transfers npm credentials over unencrypted http connection (hackerone)
- Yarn transfers npm credentials over unencrypted http connection (hackerone)
- https://hackerone.com/reports/640904 (canonical)
Timeline
- CVE Published
- Aug 14, 2019 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-5448 third-party-advisory
- https://hackerone.com/reports/640904 third-party-advisory
- https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md third-party-advisory
- https://github.com/yarnpkg/yarn/pull/7393 third-party-advisory
- https://github.com/yarnpkg/yarn/commit/2f08a7405cc3f6fe47c30293050bb0ac94850932 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-5448 third-party-advisory