Description

All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570610

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2021-43803 Vulnerability in npm package next

CVE-2021-33611 Vulnerability in maven package org.webjars.bowergithub.vaadin:vaadin-menu-bar

CVE-2022-41239 Vulnerability in maven package com.groupon.jenkins-ci.plugins:dotci

CVE-2011-1184 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2016-10744 Vulnerability in maven package org.webjars.npm:select2

Severity

Medium

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory