Overview
Snyk was notified by Imperva of a vulnerability (CVE-2022-40764) affecting the Snyk CLI and IDE plugins. Snyk took immediate action to reproduce and mitigate this vulnerability, and on September 1, 2022 Snyk released CLI v1.996.0 to address the discovered vulnerability.
To be exposed to this vulnerability, a developer would have to execute a snyk test command on untrusted files or load untrusted files in their IDE.
This vulnerability affected users of the Snyk CLI and the Snyk IDE plugins. By default, Snyk IDE plugin users were automatically updated within four days of the release of the updated Snyk CLI v1.996.0 on September 1, 2022. Users who have deactivated automatic updates should update the CLI version to the latest version by enabling updates in the preferences. Refer to the IDE information that follows.
Recommended actions
Snyk CLI
Update your Snyk CLI to version 1.996.0 or higher.
Ex.npm i -g snyk@1.996.0
ornpm i -g snyk@latest
You can check which version of the Snyk CLI you have installed by running snyk --version
Snyk IDE Plugins
You can check which instance of the Snyk CLI your IDE is using and toggle updates in the preferences. See the Snyk instructions for Jetbrains, VSCode, Eclipse, and Visual Studio or the Snyk Language Server if you use it directly.
If your copy of the IDE plugin does not have these settings, upgrade to the latest version of the plugin.
Snyk CI/CD Plugins
By default most CI/CD plugins update automatically either in their entirety or the version of the CLI they use. The primary exception to this is the Snyk TeamCity plugin. A new version of this has been released. Update the Snyk TeamCity plugin to version v20220930.142957 or newer.
If the default of automatic updates has been changed, Snyk recommends either switching the configuration back to automatic CLI updates or updating manually to a Snyk CLI with version 1.996.0 or higher.
Integration-specific details:
- Artifactory: Our Artifactory plugin does not use the CLI and is not affected.
- Nexus: Our nexus plugin does not use the CLI and is not affected.
- CircleCI: The Snyk Orb checks and updates the CLI automatically on scan.
- Snyk Maven Plugin: Automatically updates the CLI and will use the fixed version unless it has been manually configured to not update, or a custom CLI instance has been specified. Refer to the download instructions for details on how to check your configuration.
- Jenkins: The Snyk Security Scanner automatically updates the CLI unless deactivated. Refer to the download instructions for details on how to check your configuration.
- Azure Pipelines: Automatically uses the latest CLI.
- Bitbucket Pipelines: Uses already updated docker image.
- Github Actions: Uses already updated docker image.
- TeamCity: the new version v20220930.142957 that bundles CLI version 1.1017.0 is released.
- AWS CodePipeline: Automatically uses the latest CLI.