Description

All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570610

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2010-5312 Vulnerability in maven package org.fujion.webjars:jquery-ui

CVE-2018-3785 Vulnerability in npm package git-dummy-commit

CVE-2021-46440 Vulnerability in npm package strapi

CVE-2023-46731 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

CVE-2023-26055 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml

Severity

Medium

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory