search

turkdevops / node

Node.js JavaScript runtime :sparkles::turtle::rocket::sparkles:
https://nodejs.org/
Other
0 stars 0 forks source link

CVE-2022-24441 (High) detected in snyk-1.437.3.tgz #422

Open mend-bolt-for-github[bot] opened 1 year ago

mend-bolt-for-github[bot] commented 1 year ago

CVE-2022-24441 - High Severity Vulnerability

Vulnerable Library - snyk-1.437.3.tgz

snyk library and cli utility

Library home page: https://registry.npmjs.org/snyk/-/snyk-1.437.3.tgz

Path to dependency file: /deps/npm/docs/package.json

Path to vulnerable library: /deps/npm/docs/package.json

Dependency Hierarchy: - :x: **snyk-1.437.3.tgz** (Vulnerable Library)

Found in HEAD commit: ec9a3f8a365636d40076233e59d310f9ec5e9c96

Found in base branch: master

Vulnerability Details

The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable. **NOTE:** This issue is independent of the one reported in [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342), and upgrading to a fixed version for this addresses that issue as well. The affected IDE plugins and versions are: - VS Code - Affected: <=1.8.0, Fixed: 1.9.0 - IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48 - Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31 - Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions - Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions

Publish Date: 2022-11-30

URL: CVE-2022-24441

CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24441

Release Date: 2022-11-30

Fix Resolution: 1.1064.0

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-bolt-for-github[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.