Vulnerability-Lookup

CNVD-2020-54144

Vulnerability from cnvd - Published: 2020-09-25

Title

snyk-broker信息泄露漏洞（CNVD-2020-54144）

Description

snyk-broker是一款用于snyk.io和Git存储库之间访问的代理程序。 snyk-broker 4.72.0及之后版本（4.73.1版本已修复）中存在安全漏洞。攻击者可利用该漏洞读取任意文件。

Severity

中

Patch Name

snyk-broker信息泄露漏洞（CNVD-2020-54144）的补丁

Patch Description

snyk-broker是一款用于snyk.io和Git存储库之间访问的代理程序。 snyk-broker 4.72.0及之后版本（4.73.1版本已修复）中存在安全漏洞。攻击者可利用该漏洞读取任意文件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://updates.snyk.io/snyk-broker-security-fixes-152338

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-7650

Impacted products

Name
snyk-broker snyk-broker >=4.72.0，<4.73.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-7650"
    }
  },
  "description": "snyk-broker\u662f\u4e00\u6b3e\u7528\u4e8esnyk.io\u548cGit\u5b58\u50a8\u5e93\u4e4b\u95f4\u8bbf\u95ee\u7684\u4ee3\u7406\u7a0b\u5e8f\u3002\n\nsnyk-broker 4.72.0\u53ca\u4e4b\u540e\u7248\u672c\uff084.73.1\u7248\u672c\u5df2\u4fee\u590d\uff09\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://updates.snyk.io/snyk-broker-security-fixes-152338",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-54144",
  "openTime": "2020-09-25",
  "patchDescription": "snyk-broker\u662f\u4e00\u6b3e\u7528\u4e8esnyk.io\u548cGit\u5b58\u50a8\u5e93\u4e4b\u95f4\u8bbf\u95ee\u7684\u4ee3\u7406\u7a0b\u5e8f\u3002\r\n\r\nsnyk-broker 4.72.0\u53ca\u4e4b\u540e\u7248\u672c\uff084.73.1\u7248\u672c\u5df2\u4fee\u590d\uff09\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "snyk-broker\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2020-54144\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "snyk-broker snyk-broker \u003e=4.72.0\uff0c\u003c4.73.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-7650",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-01",
  "title": "snyk-broker\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2020-54144\uff09"
}

CVE-2020-7650 (GCVE-0-2020-7650)

Vulnerability from cvelistv5 – Published: 2020-05-29 21:11 – Updated: 2024-08-04 09:33

Summary

All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.

Severity ?

No CVSS data available.

CWE

Arbitrary File Read

Assigner

snyk

References

URL

Tags

	https://updates.snyk.io/snyk-broker-security-fixe…	x_refsource_MISC
	https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	snyk-broker	Affected: All versions after 4.72.0 including and before 4.73.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:33:19.992Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://updates.snyk.io/snyk-broker-security-fixes-152338"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "snyk-broker",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "All versions after 4.72.0 including and before 4.73.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk\u0027s internal network of any files ending in the following extensions: yaml, yml or json."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Arbitrary File Read",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-29T21:11:39",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://updates.snyk.io/snyk-broker-security-fixes-152338"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2020-7650",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "snyk-broker",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions after 4.72.0 including and before 4.73.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk\u0027s internal network of any files ending in the following extensions: yaml, yml or json."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Arbitrary File Read"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://updates.snyk.io/snyk-broker-security-fixes-152338",
              "refsource": "MISC",
              "url": "https://updates.snyk.io/snyk-broker-security-fixes-152338"
            },
            {
              "name": "https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570609"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2020-7650",
    "datePublished": "2020-05-29T21:11:39",
    "dateReserved": "2020-01-21T00:00:00",
    "dateUpdated": "2024-08-04T09:33:19.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-54144

CVE-2020-7650 (GCVE-0-2020-7650)

Tags

Sightings

Nomenclature