Description
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Remediation
References
https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://hackerone.com/reports/640904
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
Related Vulnerabilities
CVE-2022-29161 Vulnerability in maven package org.xwiki.platform:xwiki-platform-crypto
CVE-2023-25330 Vulnerability in maven package com.baomidou:mybatis-plus-extension
CVE-2021-39176 Vulnerability in npm package detect-character-encoding
CVE-2023-30521 Vulnerability in maven package org.jenkins-ci.plugins:assembla-merge-request-builder
CVE-2020-17533 Vulnerability in maven package org.apache.accumulo:accumulo-core