Description

All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570612

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2014-0113 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2023-45137 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2023-34468 Vulnerability in maven package org.apache.nifi:nifi-hikari-dbcp-service

CVE-2023-24457 Vulnerability in maven package org.jenkins-ci.plugins:keycloak

CVE-2019-19135 Vulnerability in maven package org.eclipse.milo:sdk-client

Severity

High

Classification

CWE-59 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory