CVE-2020-7649: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

July 26, 2022 (updated August 6, 2022)

This affects the package snyk-broker before 4.73.0. It allows arbitrary file reads for users with access to Snyk’s internal network via directory traversal.

References

github.com/advisories/GHSA-gq75-5gc3-rfwg
github.com/snyk/broker/commit/90e0bac07a800b7c4c6646097c9c89d6b878b429
github.com/snyk/broker/releases/tag/v4.73.0
nvd.nist.gov/vuln/detail/CVE-2020-7649
security.snyk.io/vuln/SNYK-JS-SNYKBROKER-570608
updates.snyk.io/snyk-broker-security-fixes-152338

Detect and mitigate CVE-2020-7649 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →