Description
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Remediation
References
https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://hackerone.com/reports/640904
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
Related Vulnerabilities
CVE-2023-29003 Vulnerability in npm package @sveltejs/kit
CVE-2021-23379 Vulnerability in npm package portkiller
CVE-2022-31150 Vulnerability in maven package org.webjars.npm:undici
CVE-2022-22984 Vulnerability in npm package snyk-gradle-plugin
CVE-2018-1000863 Vulnerability in maven package org.jenkins-ci.main:jenkins-core