Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.
Vulnerable Library - snyk-1.374.0.tgz
snyk library and cli utility
Library home page: https://registry.npmjs.org/snyk/-/snyk-1.374.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-3807
### Vulnerable Library - ansi-regex-3.0.0.tgzRegular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - snyk-1.374.0.tgz (Root Library) - inquirer-6.2.2-patch.tgz - string-width-2.1.1.tgz - strip-ansi-4.0.0.tgz - :x: **ansi-regex-3.0.0.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability Detailsansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.4%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 3.0.1
Direct dependency fix Resolution (snyk): 1.375.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-40764
### Vulnerable Library - snyk-1.374.0.tgzsnyk library and cli utility
Library home page: https://registry.npmjs.org/snyk/-/snyk-1.374.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **snyk-1.374.0.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsSnyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.
Publish Date: 2022-10-03
URL: CVE-2022-40764
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-hpqj-7cj6-hfj8
Release Date: 2022-10-03
Fix Resolution: 1.996.0
In order to enable automatic remediation, please create workflow rules
CVE-2022-33987
### Vulnerable Library - got-11.5.2.tgzHuman-friendly and powerful HTTP request library for Node.js
Library home page: https://registry.npmjs.org/got/-/got-11.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - snyk-1.374.0.tgz (Root Library) - snyk-nodejs-lockfile-parser-1.26.3.tgz - core-2.1.1.tgz - :x: **got-11.5.2.tgz** (Vulnerable Library)
Found in base branch: unstable
### Vulnerability DetailsThe got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (6.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution (got): 11.8.6
Direct dependency fix Resolution (snyk): 1.685.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules