Description

All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2021-32808 Vulnerability in maven package org.webjars.npm:ckeditor4

CVE-2023-50767 Vulnerability in maven package org.sonatype.nexus.ci:nexus-jenkins-plugin

CVE-2020-7660 Vulnerability in maven package org.webjars.npm:serialize-javascript

CVE-2023-35926 Vulnerability in npm package @backstage/plugin-scaffolder-backend

CVE-2023-32313 Vulnerability in maven package org.webjars.npm:vm2

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory