CVE - CVE-2022-24441

CVE-ID
CVE-2022-24441	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable. NOTE: This issue is independent of the one reported in [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342), and upgrading to a fixed version for this addresses that issue as well. The affected IDE plugins and versions are: - VS Code - Affected: <=1.8.0, Fixed: 1.9.0 - IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48 - Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31 - Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions - Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://github.com/snyk/snyk-eclipse-plugin/commit/b5a8bce25a359ced75f83a729fc6b2393fc9a495 URL:https://github.com/snyk/snyk-eclipse-plugin/commit/b5a8bce25a359ced75f83a729fc6b2393fc9a495 MISC:https://github.com/snyk/snyk-intellij-plugin/commit/56682f4ba6081ce1d95cb980cbfacd3809a826f4 URL:https://github.com/snyk/snyk-intellij-plugin/commit/56682f4ba6081ce1d95cb980cbfacd3809a826f4 MISC:https://github.com/snyk/snyk-ls/commit/b3229f0142f782871aa72d1a7dcf417546d568ed URL:https://github.com/snyk/snyk-ls/commit/b3229f0142f782871aa72d1a7dcf417546d568ed MISC:https://github.com/snyk/snyk-visual-studio-plugin/commit/0b53dbbd4a3153c3ef9aaf797af3b5caad0f731a URL:https://github.com/snyk/snyk-visual-studio-plugin/commit/0b53dbbd4a3153c3ef9aaf797af3b5caad0f731a MISC:https://github.com/snyk/vscode-extension/commit/0db3b4240be0db6a0a5c6d02c0d4231a2c4ba708 URL:https://github.com/snyk/vscode-extension/commit/0db3b4240be0db6a0a5c6d02c0d4231a2c4ba708 MISC:https://security.snyk.io/vuln/SNYK-JS-SNYK-3111871 URL:https://security.snyk.io/vuln/SNYK-JS-SNYK-3111871 MISC:https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/ URL:https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/
Assigning CNA
Snyk
Date Record Created
20220224	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20220224)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)