Main Vulnerability Database Vulnerabilities #VU28755

#VU28755 Information disclosure in Broker - CVE-2020-7651

Published: June 5, 2020

Vulnerability identifier: #VU28755

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-7651

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Broker

Software vendor:
Snyk Ltd.

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user with access to Snyk's internal network via patch history from GitHub Commits API can gain unauthorized access to sensitive information on the system.

Remediation

Install updates from vendor's website.

External links

https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570610
https://updates.snyk.io/snyk-broker-security-fixes-152338
https://github.com/snyk/broker/commit/7773d92fff312cbaa86407e663b3e77d731560bf