Description

All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570612

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2023-35151 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rest-server

CVE-2019-10241 Vulnerability in maven package org.eclipse.jetty.aggregate:jetty-all

CVE-2021-22569 Vulnerability in maven package com.google.protobuf:protobuf-java

CVE-2023-26055 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml

CVE-2020-5258 Vulnerability in maven package org.webjars.bowergithub.dojo:dojo

Severity

High

Classification

CWE-59 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory