CVE-2022-24441 - Code injection in Snyk CLI and Snyk IDE plugins
Snyk was notified by Imperva of a medium severity vulnerability (CVE-2022-24441) affecting the Snyk CLI and IDE plugins. Snyk took immediate action to reproduce and mitigate this vulnerability, and on November 30, 2022 Snyk released updates to the Snyk IDE plugins to address it.
Snyk IDE plugins invoke the Snyk CLI when a folder is opened. As the Snyk CLI may call build tools to provide information about dependencies, this can potentially lead to the automatic execution of arbitrary code by opening a folder in your IDE.
To safeguard against the risk of running untrusted projects, Snyk has implemented a change in the Snyk IDE Plugins that asks if you trust the contents of the folder before running any scans against code.
Snyk has also updated the documentation for the Snyk CLI with best practice advice (see Code execution warning for Snyk CLI) to avoid scanning untrusted code.
CVE-2022-22984 - Snyk CLI Command Injection
While investigating the CVE-2022-24441 vulnerability, Snyk discovered a similar but separate issue (CVE-2022-22984) affecting the Snyk CLI prior to version v1.1064.0.
These versions are vulnerable to an arbitrary command injection vulnerability in the context of specific command line options which are used to construct arguments for spawning subsequent child processes.
For example, when environment variables are passed to additional arguments provided after the “double dash” CLI parameter, if an attacker gained control of such variables they could be used to inject arbitrary commands:
snyk test -- -Dversion=$BUILD_NUMBER
Due to the attack complexity and the need to control calls to the Snyk CLI, this is not a major risk. However, Snyk customers should update as soon as possible to ensure programmatic usage of the Snyk CLI is protected from abuse.
Recommended actions
Snyk CLI
Update your Snyk CLI to version v1.1064.0 or higher.
For example, run npm i -g snyk@1.1064.0 or npm i -g snyk@latest
You can check which version of the Snyk CLI you have installed by running snyk
--version
Review the best practice advice (see Code execution warning for Snyk CLI) on avoiding scanning untrusted code in the CLI.
Snyk IDE Plugins
By default, Snyk IDE plugin users will be automatically updated within four days of the release of the updated plugins on November 30, 2022.
Users who have deactivated automatic updates should update the IDE plugins to the latest version.
You can check which version of the Snyk IDE Plugins you are using and toggle automatic updates in the plugin configuration (see the table that follows).
If your copy of the IDE plugin does not have these settings, upgrade to the latest version of the plugin.
Refer to the following table to ensure you are updating your IDE Plugin to the fixed version.
IDE Plugin |
Affected versions |
Fixed version |
Documentation |
JetBrains (IntelliJ IDEA, WebStorm, Android Studio, AppCode, GoLand, PhpStorm, PyCharm, Rider, and RubyMine) |
<= 2.4.47 |
2.4.48 |
|
Visual Studio |
<= 1.1.30 |
1.1.31 |
|
Visual Studio Code |
<= 1.8.0 |
1.9.0 |
|
Eclipse |
<= v20221115.132308 |
v20221130 |
|
Snyk Language Server |
<= v20221109.114426 |
v20221130 |
Snyk CI/CD Plugins
By default most CI/CD plugins update automatically, either in their entirety or the version of the CLI they use. The primary exception to this is the Snyk TeamCity plugin. A new version of this has been released. Update the Snyk TeamCity plugin to version v20221130.093605 or newer.
If the default of automatic updates has been changed, Snyk recommends either to switch the configuration back to automatic CLI updates, or update manually to a Snyk CLI with version v1.1064.0 or higher.
Integration-specific details follow:
- Artifactory: The Snyk Artifactory plugin does not use the CLI and is not affected.
- Nexus: The Nexus plugin does not use the CLI and is not affected.
- CircleCI: The Snyk Orb checks and updates the CLI automatically on scan.
- Snyk Maven Plugin: This plugin automatically updates the CLI and uses the fixed version unless it has been manually configured to not update, or a custom CLI instance has been specified. Refer to the download instructions for details on how to check your configuration.
- Jenkins: The Snyk Security Scanner automatically updates the CLI unless automatic update has been deactivated. Refer to the download instructions for details on how to check your configuration.
- Azure Pipelines: This plugin automatically uses the latest CLI.
- Bitbucket Pipelines: This plugin uses the already updated docker image.
- Github Actions: This plugin uses the already updated docker image.
- TeamCity: The new version v20221130.093605 or newer that bundles CLI version v1.1064.0 is released.
- AWS CodePipeline: This plugin automatically uses the latest CLI.