Description

All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570610

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2020-10758 Vulnerability in maven package org.keycloak:keycloak-wildfly-server-subsystem

CVE-2023-46650 Vulnerability in maven package com.coravy.hudson.plugins.github:github

CVE-2020-14340 Vulnerability in maven package org.jboss.xnio:xnio-nio

CVE-2021-32859 Vulnerability in maven package org.webjars.npm:github-com-baremetrics-calendar

CVE-2023-40346 Vulnerability in maven package io.jenkins.plugins:shortcut-job

Severity

Medium

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory