Description
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Remediation
References
https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://hackerone.com/reports/640904
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
Related Vulnerabilities
CVE-2023-26149 Vulnerability in npm package quill-mention
CVE-2022-4640 Vulnerability in maven package net.mingsoft:ms-mcms
CVE-2020-36320 Vulnerability in maven package com.vaadin:vaadin-server
CVE-2020-5497 Vulnerability in maven package org.mitre:openid-connect-server-webapp
CVE-2021-29262 Vulnerability in maven package org.apache.solr:solr-core