View my tickets
Submit a ticket Try Snyk for free

Articles in this section

See more
  1. Support Portal | Snyk
  2. Snyk CLI
  3. CLI

CVE-2022-24441 and CVE-2022-22984 - Code injection vulnerabilities in Snyk CLI and IDE plugins

  • Updated

CVE-2022-24441 - Code injection in Snyk CLI and Snyk IDE plugins

Snyk was notified by Imperva of a medium severity vulnerability (CVE-2022-24441) affecting the Snyk CLI and IDE plugins. Snyk took immediate action to reproduce and mitigate this vulnerability, and on November 30, 2022 Snyk released updates to the Snyk IDE plugins to address it.

Snyk IDE plugins invoke the Snyk CLI when a folder is opened. As the Snyk CLI may call build tools to provide information about dependencies, this can potentially lead to the automatic execution of arbitrary code by opening a folder in your IDE.

To safeguard against the risk of running untrusted projects, Snyk has implemented a change in the Snyk IDE Plugins that asks if you trust the contents of the folder before running any scans against code.

Snyk has also updated the documentation for the Snyk CLI with best practice advice (see Code execution warning for Snyk CLI) to avoid scanning untrusted code.

CVE-2022-22984 - Snyk CLI Command Injection

While investigating the CVE-2022-24441 vulnerability, Snyk discovered a similar but separate issue (CVE-2022-22984) affecting the Snyk CLI prior to version v1.1064.0.

These versions are vulnerable to an arbitrary command injection vulnerability in the context of specific command line options which are used to construct arguments for spawning subsequent child processes.

For example, when environment variables are passed to additional arguments provided after the “double dash” CLI parameter, if an attacker gained control of such variables they could be used to inject arbitrary commands:

snyk test -- -Dversion=$BUILD_NUMBER

Due to the attack complexity and the need to control calls to the Snyk CLI, this is not a major risk. However, Snyk customers should update as soon as possible to ensure programmatic usage of the Snyk CLI is protected from abuse.

Recommended actions

Snyk CLI

Update your Snyk CLI to version v1.1064.0 or higher.

For example, run npm i -g snyk@1.1064.0 or npm i -g snyk@latest

You can check which version of the Snyk CLI you have installed by running snyk --version

Review the best practice advice (see Code execution warning for Snyk CLI) on avoiding scanning untrusted code in the CLI.

Snyk IDE Plugins

By default, Snyk IDE plugin users will be automatically updated within four days of the release of the updated plugins on November 30, 2022.

Users who have deactivated automatic updates should update the IDE plugins to the latest version.

You can check which version of the Snyk IDE Plugins you are using and toggle automatic updates in the plugin configuration (see the table that follows).

If your copy of the IDE plugin does not have these settings, upgrade to the latest version of the plugin.

Refer to the following table to ensure you are updating your IDE Plugin to the fixed version.

IDE Plugin

Affected versions

Fixed version

Documentation

JetBrains (IntelliJ IDEA, WebStorm, Android Studio, AppCode, GoLand, PhpStorm, PyCharm, Rider, and RubyMine)

<= 2.4.47

2.4.48

Jetbrains plugin configuration

Visual Studio

<= 1.1.30

1.1.31

Visual Studio extension configuration

Visual Studio Code

<= 1.8.0

1.9.0

VSCode extension configuration

Eclipse

<= v20221115.132308

v20221130

Eclipse plugin configuration

Snyk Language Server

<= v20221109.114426

v20221130

Snyk Language Server configuration

Snyk CI/CD Plugins

By default most CI/CD plugins update automatically, either in their entirety or the version of the CLI they use. The primary exception to this is the Snyk TeamCity plugin. A new version of this has been released. Update the Snyk TeamCity plugin to version v20221130.093605 or newer.

If the default of automatic updates has been changed, Snyk recommends either to switch the configuration back to automatic CLI updates, or update manually to a Snyk CLI with version v1.1064.0 or higher.

Integration-specific details follow:

  • Artifactory: The Snyk Artifactory plugin does not use the CLI and is not affected.
  • Nexus: The Nexus plugin does not use the CLI and is not affected.
  • CircleCI: The Snyk Orb checks and updates the CLI automatically on scan.
  • Snyk Maven Plugin: This plugin automatically updates the CLI and uses the fixed version unless it has been manually configured to not update, or a custom CLI instance has been specified. Refer to the download instructions for details on how to check your configuration.
  • Jenkins: The Snyk Security Scanner automatically updates the CLI unless automatic update has been deactivated. Refer to the download instructions for details on how to check your configuration.
  • Azure Pipelines: This plugin automatically uses the latest CLI.
  • Bitbucket Pipelines: This plugin uses the already updated docker image.
  • Github Actions: This plugin uses the already updated docker image.
  • TeamCity: The new version v20221130.093605 or newer that bundles CLI version v1.1064.0 is released.
  • AWS CodePipeline: This plugin automatically uses the latest CLI.