Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-22984

Опубликовано: 30 нояб. 2022
Источник: nvd
CVSS3: 5
CVSS3: 6.3
EPSS Низкий

Описание

The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for CVE-2022-40764. A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipe

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:snyk:snyk_cli:*:*:*:*:*:*:*:*
Версия до 1.1064.0 (исключая)
cpe:2.3:a:snyk:snyk_cocoapods_cli:*:*:*:*:*:snyk:*:*
Версия до 2.5.3 (исключая)
cpe:2.3:a:snyk:snyk_docker_cli:*:*:*:*:*:snyk:*:*
Версия до 5.6.5 (исключая)
cpe:2.3:a:snyk:snyk_gradle_cli:*:*:*:*:*:snyk:*:*
Версия до 3.24.5 (исключая)
cpe:2.3:a:snyk:snyk_hex_cli:*:*:*:*:*:snyk:*:*
Версия до 1.1.6 (исключая)
cpe:2.3:a:snyk:snyk_maven_cli:*:*:*:*:*:snyk:*:*
Версия до 2.31.3 (исключая)
cpe:2.3:a:snyk:snyk_python_cli:*:*:*:*:*:snyk:*:*
Версия до 1.24.2 (исключая)
cpe:2.3:a:snyk:snyk_sbt_cli:*:*:*:*:*:snyk:*:*
Версия до 2.16.2 (исключая)

EPSS

Процентиль: 89%
0.04668
Низкий

5 Medium

CVSS3

6.3 Medium

CVSS3

Дефекты

CWE-78
CWE-78

Связанные уязвимости

redhat логотип

CVE-2022-22984

CVSS3: 5
redhat
около 3 лет назад

The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342). A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration p...

github логотип

GHSA-4x6g-3cmx-w76r

CVSS3: 6.3
github
около 3 лет назад

Snyk plugins vulnerable to Command Injection

EPSS

Процентиль: 89%
0.04668
Низкий

5 Medium

CVSS3

6.3 Medium

CVSS3

Дефекты

CWE-78
CWE-78