Description

All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570612

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2023-25572 Vulnerability in maven package org.webjars.npm:ra-ui-materialui

CVE-2020-7751 Vulnerability in npm package pathval

CVE-2023-33187 Vulnerability in npm package highlight.run

CVE-2018-11698 Vulnerability in npm package node-sass

CVE-2017-16008 Vulnerability in maven package org.webjars.bower:i18next

Severity

High

Classification

CWE-59 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory