Description
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Remediation
References
https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://hackerone.com/reports/640904
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
Related Vulnerabilities
CVE-2020-7699 Vulnerability in npm package express-fileupload
CVE-2023-0482 Vulnerability in maven package org.jboss.resteasy:resteasy-undertow
CVE-2023-34602 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base-core
CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa