Description

All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570610

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2013-0239 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security

CVE-2020-35217 Vulnerability in maven package io.vertx:vertx-web

CVE-2022-29078 Vulnerability in maven package org.webjars.npm:ejs

CVE-2020-7663 Vulnerability in maven package org.webjars.npm:websocket-extensions

CVE-2020-7793 Vulnerability in maven package org.webjars.npm:ua-parser-js

Severity

Medium

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory