Lucene search

GoogleOSV:CVE-2022-40764

HistoryOct 03, 2022 - 3:15 p.m.

CVE-2022-40764

2022-10-0315:15:18

Google

osv.dev

cve-2022-40764

snyk cli

arbitrary command execution

snyk ide

snyk npm package

visual studio code

shell metacharacters

vendor.json

snyk-go-plugin

snyk teamcity plugin

0.001 Low

EPSS

Percentile

34.4%

JSON

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.

CPENameOperatorVersion
clieq1.31.0
clieq1.383.1
clieq1.399.1
clieq1.262.2
clieq1.11.1
clieq1.798.0
clieq1.443.0
clieq1.24.1
clieq1.52.0
clieq1.275.0

Name	Operator	Version
cli	eq	1.31.0
cli	eq	1.383.1
cli	eq	1.399.1
cli	eq	1.262.2
cli	eq	1.11.1
cli	eq	1.798.0
cli	eq	1.443.0
cli	eq	1.24.1
cli	eq	1.52.0
cli	eq	1.275.0

Rows per page:

1-10 of 14701

References

github.com/snyk/cli/releases/tag/v1.996.0

github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1

support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0

www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/

0.001 Low

EPSS

Percentile

34.4%

JSON

Related for OSV:CVE-2022-40764