Description
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
Remediation
References
https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
https://hackerone.com/reports/640904
https://yarnpkg.com/blog/2019/07/12/recommended-security-update/
Related Vulnerabilities
CVE-2020-28277 Vulnerability in maven package org.webjars.npm:dset
CVE-2023-22465 Vulnerability in maven package org.http4s:http4s-core
CVE-2019-5416 Vulnerability in npm package localhost-now
CVE-2021-24033 Vulnerability in npm package react-dev-utils
CVE-2020-36181 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind