Description
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Remediation
References
https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
https://hackerone.com/reports/640904
Related Vulnerabilities
CVE-2022-2064 Vulnerability in npm package nocodb
CVE-2020-7635 Vulnerability in npm package compass-compile
CVE-2022-31160 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery-ui
CVE-2021-28162 Vulnerability in npm package @wiptheia/core
CVE-2021-21350 Vulnerability in maven package com.thoughtworks.xstream:xstream