To report a security vulnerability to us, please see https://docs.snyk.io/snyk-data-and-governance/reporting-security-issues.
| CVE | Versions affected | Additional information | Reported by |
|---|---|---|---|
| CVE-2020-7648 | <= 4.72.1 | Allows arbitrary file reads by appending the URL with a fragment identifier and a whitelisted path | Wing Chan of The Hut Group |
| CVE-2020-7649 | < 4.73.0 | Allows arbitrary file reads via directory traversal | Wing Chan of The Hut Group |
| CVE-2020-7650 | <= 4.73.0 | Allow arbitrary file reads of any files ending in the following extensions: yaml, yml or json | Wing Chan of The Hut Group |
| CVE-2020-7651 | < 4.79.0 | Allows partial file reads via patch history from GitHub Commits API | Wing Chan of The Hut Group |
| CVE-2020-7652 | < 4.80.0 | Allows arbitrary file reads by renaming files to match whitelisted paths | Wing Chan of The Hut Group |
| CVE-2020-7653 | < 4.80.0 | Allows arbitrary file reads by creating symlinks to match whitelisted paths | Wing Chan of The Hut Group |
| CVE-2020-7654 | <= 4.73.0 | Logs private keys if logging level is set to DEBUG | Wing Chan of The Hut Group |
| CVE-2024-37890 | <= 4.191.0 | Denial of Service negligible risk for Broker use case. Mitigated from 4.191.1 | Ryan LaPointe |