Description

All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2023-29008 Vulnerability in npm package @sveltejs/kit

CVE-2023-37956 Vulnerability in maven package org.jenkins-ci.plugins:test-results-aggregator

CVE-2023-49803 Vulnerability in maven package org.webjars.npm:koa__cors

CVE-2021-43138 Vulnerability in npm package async

CVE-2022-36096 Vulnerability in maven package org.xwiki.platform:xwiki-platform-index-ui

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory