Description

All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570612

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2022-29251 Vulnerability in maven package org.xwiki.platform:xwiki-platform-flamingo-theme-ui

CVE-2017-15878 Vulnerability in npm package keystone

CVE-2021-23353 Vulnerability in maven package org.webjars.npm:jspdf

CVE-2020-7662 Vulnerability in npm package websocket-extensions

CVE-2023-40347 Vulnerability in maven package org.jenkins-ci.plugins:maven-artifact-choicelistprovider

Severity

High

Classification

CWE-59 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory