CVE-2019-5448: Cryptographic Issues

July 30, 2019 (updated October 9, 2019)

Yarn is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

References

nvd.nist.gov/vuln/detail/CVE-2019-5448
yarnpkg.com/blog/2019/07/12/recommended-security-update/

Detect and mitigate CVE-2019-5448 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →