Description

All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570610

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2010-1157 Vulnerability in maven package tomcat:catalina

CVE-2011-2481 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2023-41080 Vulnerability in maven package org.apache.tomcat:tomcat

CVE-2016-0750 Vulnerability in maven package org.infinispan:infinispan-client-hotrod

CVE-2017-7658 Vulnerability in maven package org.eclipse.jetty:jetty-server

Severity

Medium

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Vendor Advisory