Description

All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570612

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2022-37616 Vulnerability in npm package xmldom

CVE-2023-28674 Vulnerability in maven package org.jenkinsci.plugins:octoperf

CVE-2014-7810 Vulnerability in maven package org.apache.tomcat:jasper

CVE-2022-21724 Vulnerability in maven package org.postgresql:postgresql

CVE-2019-10241 Vulnerability in maven package org.eclipse.jetty:jetty-util

Severity

High

Classification

CWE-59 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory