SB2020060509 - Multiple vulnerabilities in Snyk Broker
Published: June 5, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2020-7650)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user with access to Snyk's internal network of any files ending in the following extensions: "yaml", "yml" or "json" can gain unauthorized access to sensitive information on the system.
2) Information disclosure (CVE-ID: CVE-2020-7654)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected software logs private keys if logging level is set to "DEBUG". A remote attacker can gain unauthorized access to sensitive information on the system.
Remediation
Install update from vendor's website.
References
- https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609
- https://updates.snyk.io/snyk-broker-security-fixes-152338
- https://github.com/snyk/broker/commit/cda1ad74fbaa4642e3fcd0386ce39fcbfe3dea24
- https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570613
- https://github.com/snyk/broker/commit/7ab581db3234dfd257ed77a055601ec6e396becc