Description

All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570610

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2021-23490 Vulnerability in npm package parse-link-header

CVE-2013-6397 Vulnerability in maven package org.apache.solr:solr-velocity

CVE-2022-24891 Vulnerability in maven package org.owasp.esapi:esapi

CVE-2021-21409 Vulnerability in maven package io.netty:netty-codec-http2

CVE-2011-1183 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

Severity

Medium

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory