CVE-2022-40764
HIGHSnyk CLI < 1.996.0 - OS Command Injection via vendor.json ignore field
Title source: llmDescription
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.
References (4)
Core 4
Core References
Patch, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1
Patch, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/snyk/cli/releases/tag/v1.996.0
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/
Patch, Vendor Advisory x_refsource_misc
https://support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0
Scores
CVSS v3
7.8
EPSS
0.0338
EPSS Percentile
87.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (4)
npm/snyk
0 - 1.996.0npm
npm/snyk-go-plugin
0 - 1.19.1npm
snyk/cli
< 1.996.0
snyk/golang_cli
< 1.19.1
Published
Oct 03, 2022
Tracked Since
Feb 18, 2026