CVE-2020-7653: 
JavaScript vulnerability analysis and mitigation

All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. The vulnerability was discovered by Wing Chan of The Hut Group and was disclosed on May 28, 2020, with public disclosure following on May 29, 2020. The vulnerability affects the snyk-broker package, which is used to proxy access between snyk.io and Git repositories such as GitHub Enterprise, GitHub.com, and Bitbucket Server (Snyk Vuln DB).

The vulnerability allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match whitelisted paths. The vulnerability has been assigned CVE-2020-7653 and is categorized as CWE-22. The CVSS v3.1 base score is 6.5 (Medium), with high impact on confidentiality but no impact on integrity or availability. The attack vector is network-based with low attack complexity, requiring high privileges and no user interaction (Snyk Vuln DB).

The vulnerability results in a total loss of confidentiality within the impacted component, allowing attackers to access restricted information that could present a direct, serious impact. However, there is no reported impact on system integrity or availability (Snyk Vuln DB).

The vulnerability has been patched in version 4.80.0 of snyk-broker. Users should upgrade to version 4.80.0 or higher to resolve this security issue. Additionally, Snyk has improved the auditability of the Broker code and enhanced both client and server-side logging to improve visibility of service activity (Snyk Updates).

The vulnerability was responsibly disclosed through Snyk's bug bounty program by Wing Chan of The Hut Group. In response, Snyk has taken steps to improve the auditability of the Broker code and enhanced logging capabilities for better visibility (Snyk Updates).