Description

All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths.

Remediation

References

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570612

https://updates.snyk.io/snyk-broker-security-fixes-152338

Related Vulnerabilities

CVE-2018-3721 Vulnerability in npm package lodash.mergewith

CVE-2020-7707 Vulnerability in maven package org.webjars.npm:property-expr

CVE-2010-2057 Vulnerability in maven package org.apache.myfaces.trinidad:trinidad-impl

CVE-2023-29214 Vulnerability in maven package org.xwiki.platform:xwiki-platform-panels-ui

CVE-2020-35490 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

High

Classification

CWE-59 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory