CVE-2022-40764
arbitrary command execution vulnerability in snyk (npm)
What is CVE-2022-40764 About?
This vulnerability in Snyk CLI, and related plugins, allows for arbitrary command execution. It occurs through the injection of shell metacharacters when viewing untrusted files, particularly in Snyk IDE plugins or the `snyk` npm package. The impact is severe, potentially leading to full system compromise, and exploitation is relatively easy given an attacker can provide crafted input.
Affected Software
- snyk
- <1.996.0
- snyk-go-plugin
- <1.19.1
Technical Details
The vulnerability affects Snyk CLI before 1.996.0, as well as Snyk IDE plugins (e.g., for Visual Studio Code) and the snyk npm package. It stems from improper handling of shell metacharacters in fields such as the vendor.json ignore field. When a user opens or processes an untrusted file containing such crafted metacharacters (e.g., in a vendor.json file), the Snyk CLI or plugin executes these characters as part of a shell command. This allows an attacker to inject and execute arbitrary commands on the victim's system, leading to remote code execution.
What is the Impact of CVE-2022-40764?
Successful exploitation may allow attackers to execute arbitrary commands on the underlying operating system, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2022-40764?
Exploitation is of low to medium complexity, depending on the vector. The main prerequisite is inducing a user to open or process certain untrusted files (e.g., containing crafted vendor.json) within an affected Snyk environment. No specific authentication is typically required, as the vulnerability resides in how the tool processes file contents. Privilege requirements are usually tied to the user running the Snyk CLI or IDE plugin. This is primarily a local vulnerability, requiring user interaction or access to the user's environment, but could be initiated remotely (e.g., via a malicious repository). Special conditions include the user's environment using an affected Snyk version and the common practice of viewing untrusted files. The likelihood of exploitation increases if users frequently interact with external, untrusted code bases.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-40764?
Available Upgrade Options
- snyk
- <1.996.0 → Upgrade to 1.996.0
- snyk-go-plugin
- <1.19.1 → Upgrade to 1.19.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution
- https://github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1
- https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/
- https://github.com/snyk/cli/releases/tag/v1.996.0
- https://github.com/snyk/cli
- https://nvd.nist.gov/vuln/detail/CVE-2022-40764
- https://support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0
- https://github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1
- https://github.com/snyk/cli/releases/tag/v1.996.0
- https://osv.dev/vulnerability/GHSA-hpqj-7cj6-hfj8
What are Similar Vulnerabilities to CVE-2022-40764?
Similar Vulnerabilities: CVE-2021-32537 , CVE-2021-43867 , CVE-2020-14144 , CVE-2020-8174 , CVE-2019-16782
