Description

All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2023-33947 Vulnerability in maven package com.liferay.portal:release.portal.bom

CVE-2011-2526 Vulnerability in maven package org.apache.tomcat:coyote

CVE-2023-5571 Vulnerability in npm package @vrite/sdk

CVE-2022-21803 Vulnerability in maven package org.webjars.npm:nconf

CVE-2014-9635 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory