Description

All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.

Remediation

References

https://updates.snyk.io/snyk-broker-security-fixes-152338

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609

Related Vulnerabilities

CVE-2014-0193 Vulnerability in maven package org.onosproject:onlab-stc

CVE-2022-38180 Vulnerability in maven package io.ktor:ktor-client-core

CVE-2018-11040 Vulnerability in maven package org.springframework:spring-web

CVE-2013-1571 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2019-10285 Vulnerability in maven package org.jenkins-ci.plugins:minio-storage

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Patch