<p>Upgrade <code>org.webjars.npm:yarn</code> to version 2.0.0-rc.27 or higher.</p>

Man-in-the-Middle (MitM) Affecting org.webjars.npm:yarn package, versions [,2.0.0-rc.27)

Snyk CVSS

Attack Complexity High

User Interaction Required

Scope Changed

Confidentiality High

Availability High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 0.59% (78^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGWEBJARSNPM-480358
published 15 Jul 2019
disclosed 12 Jul 2019
credit Сковорода Никита Андреевич

Report a new vulnerability Found a mistake?

Introduced: 12 Jul 2019

CVE-2019-5448 Open this link in a new tab CWE-300 Open this link in a new tab

How to fix?

Upgrade org.webjars.npm:yarn to version 2.0.0-rc.27 or higher.

Overview

org.webjars.npm:yarn is a package for dependency management.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). Npm credentials such as _authToken were found to be sent over clear text when processing scoped packages that are listed as resolved. This could allow a suitably positioned attacker to eavesdrop and compromise the sent credentials.