GHSA-9xv2-548x-5h79

Source

https://github.com/advisories/GHSA-9xv2-548x-5h79

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-9xv2-548x-5h79/GHSA-9xv2-548x-5h79.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-9xv2-548x-5h79

Aliases

CVE-2020-7648

Published

2020-06-03T22:02:19Z

Modified

2024-05-08T06:59:10.029273Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Arbitrary File Read in Snyk Broker

Details

All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. #package.json

Database specific

{
    "nvd_published_at": "2020-05-29T22:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2020-06-01T19:42:21Z",
    "github_reviewed": true
}

References

Affected packages

npm / snyk-broker

Package

Name: snyk-broker; View open source insights on deps.dev
Purl: pkg:npm/snyk-broker

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.72.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-9xv2-548x-5h79/GHSA-9xv2-548x-5h79.json"