Description

All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570612

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2016-1000232 Vulnerability in npm package tough-cookie

CVE-2023-37964 Vulnerability in maven package org.jenkins-ci.plugins:elasticbox

CVE-2015-9235 Vulnerability in npm package jsonwebtoken

CVE-2018-14380 Vulnerability in npm package graylog-web-interface

CVE-2023-34453 Vulnerability in maven package org.xerial.snappy:snappy-java

Severity

High

Classification

CWE-59 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory