CVE-2019-5448

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-5448
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-5448.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-5448
Aliases
Downstream
Published
2019-07-30T21:15:11.523Z
Modified
2026-05-18T17:38:59.447577Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

References

Affected packages

Git / github.com/yarnpkg/yarn

Affected ranges

Type
GIT
Repo
https://github.com/yarnpkg/yarn
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2c915bda5f35bb805820c159257d96df23e3e9d8
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.17.3"
        }
    ],
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*"
}

Affected versions

Other
pre-release
v0.*
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.15.1
v0.17.0
v0.17.0-0
v0.18.0
v0.18.0-0
v0.19.0
v0.19.0-0
v0.20.0
v0.20.0-0
v0.21.0
v0.21.0-pre
v0.22.0
v0.23.0
v0.25.0
v0.26.0
v0.27.0
v0.28.0
v0.7.0
v0.7.1
v0.8.0
v0.9.0
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.17.1
v1.17.2
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.4.1
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-5448.json"