CVE-2020-7650: 
JavaScript vulnerability analysis and mitigation

CVE-2020-7650 is a vulnerability discovered in snyk-broker package versions >=4.72.0 <4.73.1, disclosed on May 28, 2020. The vulnerability affects the package that proxies access between snyk.io and Git repositories, including GitHub Enterprise, GitHub.com, Bitbucket Server, and on-premise Jira deployments (Snyk DB).

The vulnerability is classified as an Arbitrary File Read vulnerability (CWE-22). It allows users with access to Snyk's internal network to read arbitrary files that end with yaml, yml, or json extensions. The vulnerability has a CVSS v3.1 base score of 2.7 (low) according to Snyk's assessment, while the NVD rates it at 6.5 (medium). The attack vector is network-based, with low attack complexity, requiring high privileges, and no user interaction (Snyk DB).

The vulnerability results in some loss of confidentiality where restricted information can be accessed, though the attacker does not have control over what information is obtained. The amount or kind of loss is limited, and the information disclosure does not cause a direct, serious loss to the impacted component. There is no impact on integrity or availability of the system (Snyk DB).

The vulnerability has been patched in version 4.73.1 of snyk-broker. Users should upgrade to this version or higher to resolve the issue. Additionally, Snyk has implemented improvements to the auditability of the Broker code and enhanced both client and server-side logging to improve visibility of service activity (Snyk Updates).

The vulnerability was responsibly disclosed by Wing Chan of The Hut Group through Snyk's bug bounty program. Snyk acknowledged that these issues pertained to increased privileges available to specific internal Snyk Personnel only (Snyk Updates).