Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.
CVE-2022-40764 - High Severity Vulnerability
snyk library and cli utility
Library home page: https://registry.npmjs.org/snyk/-/snyk-1.278.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/snyk/package.json
Dependency Hierarchy: - :x: **snyk-1.278.1.tgz** (Vulnerable Library)
Found in HEAD commit: 3f4c2902a45eb04bc7915c408df14545aa90511c
Found in base branch: master
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.
Publish Date: 2022-10-03
URL: CVE-2022-40764
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-hpqj-7cj6-hfj8
Release Date: 2022-10-03
Fix Resolution: 1.996.0
Step up your Open Source Security Game with Mend here