Description

All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570612

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-debug-jdk15to18

CVE-2020-28196 Vulnerability in npm package krb5

CVE-2022-31172 Vulnerability in npm package @openzeppelin/contracts-upgradeable

CVE-2017-1000421 Vulnerability in maven package org.webjars:gifsicle

CVE-2023-48241 Vulnerability in maven package org.xwiki.platform:xwiki-platform-search-solr-query

Severity

High

Classification

CWE-59 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory