CVE-2022-24441OS Command Injection in CLI

CWE-78OS Command InjectionCWE-94Code Injection6 documents3 sources
Severity
8.8HIGHNVD
NVD7.2GHSA7.8OSV7.8
EPSS
1.6%
top 17.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Snyk CLICyclonedx CdxgenSnyk Language Server+1 more
Timeline
PublishedNov 30
Latest updateOct 28

Description

The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would lik

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

NVDsnyk/snyk_language_server20221109.114426
NVDsnyk/snyk_security1.1.30+3
NVDsnyk/snyk_cli< 1.1064.0
npmsnyk/snyk_cli< 1.1064.0
npmcyclonedx/cdxgen< 11.1.7

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CycloneDX cdxgen may execute code contained within build-related files2024-10-28
GHSA
CycloneDX cdxgen may execute code contained within build-related files2024-10-28
OSV
snyk Code Injection vulnerability2023-07-06
GHSA
snyk Code Injection vulnerability2023-07-06
CVE-2022-24441 — OS Command Injection in Snyk CLI | cvebase