Description

All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570612

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2011-0013 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2020-13949 Vulnerability in maven package org.apache.thrift:libthrift

CVE-2022-35924 Vulnerability in npm package next-auth

CVE-2022-25206 Vulnerability in maven package org.jenkins-ci.plugins:dbcharts

CVE-2023-44487 Vulnerability in maven package org.eclipse.jetty.http2:http2-common

Severity

High

Classification

CWE-59 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory