Description
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Remediation
References
https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://hackerone.com/reports/640904
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
Related Vulnerabilities
CVE-2022-23647 Vulnerability in npm package prismjs
CVE-2019-19040 Vulnerability in maven package org.kairosdb:kairosdb
CVE-2023-29526 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-async-api
CVE-2020-26237 Vulnerability in npm package highlight.js
CVE-2021-32824 Vulnerability in maven package org.apache.dubbo:dubbo-common