Lucene search

PRIOn knowledge basePRION:CVE-2022-40764

HistoryOct 03, 2022 - 3:15 p.m.

Command injection

2022-10-0315:15:00

PRIOn knowledge base

www.prio-n.com

snyk cli

command injection

arbitrary

execution

ide plugins

npm package

visual studio code

shell metacharacters

vendor.json

ignore field

snyk teamcity plugin

automatic update

nvd

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.4%

JSON

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.

CPENameOperatorVersion
clilt1.996.0
golang_clilt1.19.1

CPE	Name	Operator	Version
	cli	lt	1.996.0
	golang_cli	lt	1.19.1

References

github.com/snyk/cli/releases/tag/v1.996.0

github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1

support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0

www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/