Man-in-the-Middle (MitM) Affecting yarn package, versions <1.17.3


0.0
high

Snyk CVSS

    Attack Complexity High
    User Interaction Required
    Scope Changed
    Confidentiality High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.59% (78th percentile)
Expand this section
NVD
8.1 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-YARN-451571
  • published 15 Jul 2019
  • disclosed 12 Jul 2019
  • credit Сковорода Никита Андреевич

How to fix?

Upgrade yarn to version 1.17.3 or higher.

Overview

yarn is a package for dependency management.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). Npm credentials such as _authToken were found to be sent over clear text when processing scoped packages that are listed as resolved. This could allow a suitably positioned attacker to eavesdrop and compromise the sent credentials.