{"url":"http://public2.vulnerablecode.io/api/packages/445402?format=json","purl":"pkg:npm/yarn@1.2.0","type":"npm","namespace":"","name":"yarn","version":"1.2.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.22.13","latest_non_vulnerable_version":"1.22.13","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/156355?format=json","vulnerability_id":"VCID-2qqs-1h2r-7udy","summary":"An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-4435.json","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-4435.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4435","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16311","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16187","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16329","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16341","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-4435"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4435","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4435"},{"reference_url":"https://github.com/yarnpkg/yarn","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/yarnpkg/yarn"},{"reference_url":"https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1","reference_id":"67fcce88935e45092ffa2674c08053f1ef5268a1","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-06-17T14:29:04Z/"}],"url":"https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2021-4435","reference_id":"CVE-2021-4435","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-06-17T14:29:04Z/"}],"url":"https://access.redhat.com/security/cve/CVE-2021-4435"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4435","reference_id":"CVE-2021-4435","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4435"},{"reference_url":"https://github.com/advisories/GHSA-mpwj-fcr6-x34c","reference_id":"GHSA-mpwj-fcr6-x34c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mpwj-fcr6-x34c"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2262284","reference_id":"show_bug.cgi?id=2262284","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-06-17T14:29:04Z/"}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2262284"},{"reference_url":"https://github.com/yarnpkg/yarn/releases/tag/v1.22.13","reference_id":"v1.22.13","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-06-17T14:29:04Z/"}],"url":"https://github.com/yarnpkg/yarn/releases/tag/v1.22.13"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28747?format=json","purl":"pkg:npm/yarn@1.22.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/yarn@1.22.13"}],"aliases":["CVE-2021-4435","GHSA-mpwj-fcr6-x34c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2qqs-1h2r-7udy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/206938?format=json","vulnerability_id":"VCID-3r4f-gc21-c7bp","summary":"The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-15608.json","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-15608.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-15608","reference_id":"","reference_type":"","scores":[{"value":"0.00463","scoring_system":"epss","scoring_elements":"0.64846","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00463","scoring_system":"epss","scoring_elements":"0.64744","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00463","scoring_system":"epss","scoring_elements":"0.64855","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00463","scoring_system":"epss","scoring_elements":"0.64858","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-15608"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15608","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15608"},{"reference_url":"https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190"},{"reference_url":"https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c"},{"reference_url":"https://hackerone.com/reports/703138","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/703138"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1851875","reference_id":"1851875","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1851875"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15608","reference_id":"CVE-2019-15608","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15608"},{"reference_url":"https://github.com/advisories/GHSA-hjxc-462x-x77j","reference_id":"GHSA-hjxc-462x-x77j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hjxc-462x-x77j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19113?format=json","purl":"pkg:npm/yarn@1.19.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qqs-1h2r-7udy"},{"vulnerability":"VCID-gpqp-yv99-g7aw"},{"vulnerability":"VCID-qddz-ef3f-q3hn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/yarn@1.19.0"}],"aliases":["CVE-2019-15608","GHSA-hjxc-462x-x77j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3r4f-gc21-c7bp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/204518?format=json","vulnerability_id":"VCID-gpqp-yv99-g7aw","summary":"Yarn Improper link resolution before file access (Link Following)","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0475","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2020:0475"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10773.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10773.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10773","reference_id":"","reference_type":"","scores":[{"value":"0.00546","scoring_system":"epss","scoring_elements":"0.68375","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00546","scoring_system":"epss","scoring_elements":"0.68279","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00546","scoring_system":"epss","scoring_elements":"0.68368","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00546","scoring_system":"epss","scoring_elements":"0.6838","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10773"},{"reference_url":"https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn"},{"reference_url":"https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/","reference_id":"","reference_type":"","scores":[],"url":"https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10773","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10773"},{"reference_url":"https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7"},{"reference_url":"https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023"},{"reference_url":"https://github.com/yarnpkg/yarn/pull/7755","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/yarnpkg/yarn/pull/7755"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HIZW4NZVV5QY5WWGW2JRP3FHYKZ6ZJ5/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITY5BC63CCC647DFNUQRQ5AJDKUKUNBI/"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-YARN-537806,","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-YARN-537806,"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1788328","reference_id":"1788328","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1788328"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10773","reference_id":"CVE-2019-10773","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10773"},{"reference_url":"https://github.com/advisories/GHSA-5xf4-f2fq-f69j","reference_id":"GHSA-5xf4-f2fq-f69j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5xf4-f2fq-f69j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16165?format=json","purl":"pkg:npm/yarn@1.21.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qqs-1h2r-7udy"},{"vulnerability":"VCID-gpqp-yv99-g7aw"},{"vulnerability":"VCID-qddz-ef3f-q3hn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/yarn@1.21.1"},{"url":"http://public2.vulnerablecode.io/api/packages/16166?format=json","purl":"pkg:npm/yarn@1.22.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qqs-1h2r-7udy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/yarn@1.22.0"}],"aliases":["CVE-2019-10773","GHSA-5xf4-f2fq-f69j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gpqp-yv99-g7aw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8766?format=json","vulnerability_id":"VCID-qddz-ef3f-q3hn","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8131.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8131.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8131","reference_id":"","reference_type":"","scores":[{"value":"0.01041","scoring_system":"epss","scoring_elements":"0.77931","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01041","scoring_system":"epss","scoring_elements":"0.77938","published_at":"2026-06-14T12:55:00Z"},{"value":"0.01041","scoring_system":"epss","scoring_elements":"0.77862","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01041","scoring_system":"epss","scoring_elements":"0.77945","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8131"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8131","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8131"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/yarnpkg/yarn/pull/7831","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/yarnpkg/yarn/pull/7831"},{"reference_url":"https://hackerone.com/reports/730239","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/730239"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1816261","reference_id":"1816261","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1816261"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952912","reference_id":"952912","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952912"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8131","reference_id":"CVE-2020-8131","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8131"},{"reference_url":"https://github.com/advisories/GHSA-8mfc-v7wv-p62g","reference_id":"GHSA-8mfc-v7wv-p62g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8mfc-v7wv-p62g"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0420","reference_id":"RHSA-2021:0420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0420"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16166?format=json","purl":"pkg:npm/yarn@1.22.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qqs-1h2r-7udy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/yarn@1.22.0"}],"aliases":["CVE-2020-8131","GHSA-8mfc-v7wv-p62g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qddz-ef3f-q3hn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/203944?format=json","vulnerability_id":"VCID-r968-mjku-quah","summary":"Missing Encryption of Sensitive Data in yarn","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5448","reference_id":"","reference_type":"","scores":[{"value":"0.00107","scoring_system":"epss","scoring_elements":"0.28692","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00107","scoring_system":"epss","scoring_elements":"0.28496","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00107","scoring_system":"epss","scoring_elements":"0.28708","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00107","scoring_system":"epss","scoring_elements":"0.28718","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-5448"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5448","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5448"},{"reference_url":"https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md"},{"reference_url":"https://hackerone.com/reports/640904","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/640904"},{"reference_url":"https://yarnpkg.com/blog/2019/07/12/recommended-security-update","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://yarnpkg.com/blog/2019/07/12/recommended-security-update"},{"reference_url":"https://yarnpkg.com/blog/2019/07/12/recommended-security-update/","reference_id":"","reference_type":"","scores":[],"url":"https://yarnpkg.com/blog/2019/07/12/recommended-security-update/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941354","reference_id":"941354","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941354"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5448","reference_id":"CVE-2019-5448","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-5448"},{"reference_url":"https://github.com/advisories/GHSA-wqfc-cr59-h64p","reference_id":"GHSA-wqfc-cr59-h64p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wqfc-cr59-h64p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/15504?format=json","purl":"pkg:npm/yarn@1.17.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2qqs-1h2r-7udy"},{"vulnerability":"VCID-3r4f-gc21-c7bp"},{"vulnerability":"VCID-gpqp-yv99-g7aw"},{"vulnerability":"VCID-qddz-ef3f-q3hn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/yarn@1.17.3"}],"aliases":["CVE-2019-5448","GHSA-wqfc-cr59-h64p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r968-mjku-quah"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/yarn@1.2.0"}