Description

All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2020-5229 Vulnerability in maven package org.opencastproject:opencast-common-jpa-impl

CVE-2021-37136 Vulnerability in maven package io.netty:netty-codec

CVE-2023-25572 Vulnerability in maven package org.webjars.npm:react-admin

CVE-2018-25031 Vulnerability in maven package org.webjars.bower:swagger-ui

CVE-2023-45135 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-war

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory