Please send any issue that you feel affects the security of this module to security@snyk.io.
Please do not log security concerns as GitHub issues, as that could alert attackers to a potential flaw. If you want to nudge us beyond the email to security@snyk.io, tell us you sent such an email (without the details) on another channel, such as:
- An issue here on GitHub, with an email address we can use to contact you for a more detailed report.
- Send an email to support@snyk.io
- Message @snyksec on Twitter.
CVE | Versions affected | Additional information | Reported by |
---|---|---|---|
CVE-2020-7648 | <= 4.72.1 | Allows arbitrary file reads by appending the URL with a fragment identifier and a whitelisted path | Wing Chan of The Hut Group |
CVE-2020-7649 | < 4.73.0 | Allows arbitrary file reads via directory traversal | Wing Chan of The Hut Group |
CVE-2020-7650 | <= 4.73.0 | Allow arbitrary file reads of any files ending in the following extensions: yaml, yml or json | Wing Chan of The Hut Group |
CVE-2020-7651 | < 4.79.0 | Allows partial file reads via patch history from GitHub Commits API | Wing Chan of The Hut Group |
CVE-2020-7652 | < 4.80.0 | Allows arbitrary file reads by renaming files to match whitelisted paths | Wing Chan of The Hut Group |
CVE-2020-7653 | < 4.80.0 | Allows arbitrary file reads by creating symlinks to match whitelisted paths | Wing Chan of The Hut Group |
CVE-2020-7654 | <= 4.73.0 | Logs private keys if logging level is set to DEBUG | Wing Chan of The Hut Group |
CVE-2024-37890 | <= 4.191.0 | Denial of Service negligible risk for Broker use case. Mitigated from 4.191.1 | Ryan LaPointe |