Home > Vulnerability Database > CVE-2022-40764

Mend.io Vulnerability Database

CVE-2022-40764

Good to know:

Date: October 3, 2022

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.

Language: JS

Severity Score

7.8

Related Resources (4)

Url: https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/

Url: https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-40764

Url: https://www.mend.io/vulnerability-database/CVE-2022-40764

Severity Score

7.8

Weakness Type (CWE)

Command Injection

CWE-77

OS Command Injections

CWE-78

Top Fix

Upgrade Version

Upgrade to version snyk - 1.996.0;snyk-go-plugin - 1.19.1

Learn More

CVSS v3.1

Base Score:	7.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-40764

Good to know:

Date: October 3, 2022

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?