Arbitrary Command Execution Vulnerability in Snyk CLI and IDE Plugins
CVE-2022-40764

7.8HIGH

Key Information:

Vendor

Snyk

Status
Cli
Golang Cli
Vendor
CVE Published:
3 October 2022

What is CVE-2022-40764?

A vulnerability exists in Snyk CLI that allows arbitrary command execution. This issue can be exploited through untrusted file handling in IDEs such as Visual Studio Code, particularly when shell metacharacters are included in the vendor.json ignore field. The vulnerability affects multiple versions of Snyk-related products, potentially allowing attackers to execute commands with elevated privileges. Users are encouraged to update to the latest versions of Snyk CLI and associated plugins to mitigate this risk, as the affected versions fail to address the underlying problems inherent in command execution processes.

References

https://github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1
x_refsource_MISC
https://github.com/snyk/cli/releases/tag/v1.996.0
x_refsource_MISC
https://www.imperva.com/blog/how-scanning-your-projects-f...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.