Description

All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2023-30527 Vulnerability in maven package org.jenkins-ci.plugins:wso2id-oauth

CVE-2022-24897 Vulnerability in maven package org.xwiki.commons:xwiki-commons-velocity

CVE-2023-24977 Vulnerability in maven package org.apache.inlong:manager-pojo

CVE-2019-5423 Vulnerability in npm package http-live-simulator

CVE-2023-5654 Vulnerability in npm package react-devtools-core

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory