CVE-2020-7648

{"id": "CVE-2020-7648", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-05-29T22:15:10.613", "references": [{"url": "https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570607", "tags": ["Patch", "Vendor Advisory"], "source": "report@snyk.io"}, {"url": "https://updates.snyk.io/snyk-broker-security-fixes-152338", "tags": ["Vendor Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JS-SNYKBROKER-570607", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://updates.snyk.io/snyk-broker-security-fixes-152338", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`"}, {"lang": "es", "value": "Todas las versiones de snyk-broker anteriores a 4.72.2, son vulnerables a una Lectura de Archivos Arbitraria. Permite lecturas de archivos arbitrarias para los usuarios que tienen acceso en la red interna de Snyk al a\u00f1adir la URL con un identificador de fragmento y una ruta en la lista blanca, por ejemplo \"#package.json\"."}], "lastModified": "2024-11-21T05:37:32.340", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:synk:broker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC2ED432-0E9E-4AF6-9DFB-30AC1E3BB915", "versionEndExcluding": "4.72.2"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}