8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24441

GHSA ID

GHSA-4vrv-93c7-m92j

EPSS Score

0.77653%

CWE

CWE-94

Published

7/6/2023

Updated

7/6/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24441

CVE-2022-24441: snyk Code Injection vulnerability

The package snyk before 1.1064.0 is vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable.

NOTE: This issue is independent of the one reported in CVE-2022-40764, and upgrading to a fixed version for this addresses that issue as well.

The affected IDE plugins and versions are:

VS Code - Affected: <=1.8.0, Fixed: 1.9.0
IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48
Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31
Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions
Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24441

GHSA ID

GHSA-4vrv-93c7-m92j

EPSS Score

0.77653%

CWE

CWE-94

Published

7/6/2023

Updated

7/6/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
snyk	npm	< 1.1064.0	1.1064.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from executing build processes/CLI commands without proper trust validation. Patches across all platforms added trust checks (checkIfTrusted, confirmScanningAndSetWorkspaceTrustedStateIfNeeded, trustedFolders) filtering before command execution. The vulnerable functions are the pre-patch versions of these methods that lacked trust validation, allowing malicious build file commands to execute when scanning untrusted projects.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** snyk ***or* *.****.* is vuln*r**l* to *o** Inj**tion w**n *n*lyzin* * proj**t. *n *tt**k*r w*o **n *onvin** * us*r to s**n * m*li*ious proj**t **n in*lu** *omm*n*s in * *uil* *il* su** *s *uil*.*r**l* or *r**l*-wr*pp*r.j*r, w*i** will **

Reasoning

T** vuln*r**ility st*ms *rom *x**utin* *uil* pro**ss*s/*LI *omm*n*s wit*out prop*r trust v*li**tion. P*t***s **ross *ll pl*t*orms ***** trust ****ks (`****kI*Trust**`, `*on*irmS**nnin**n*S*tWorksp***Trust**St*t*I*N*****`, `trust***ol**rs`) *ilt*rin*

8.8

Basic Information

Concerned about an active attack path?

CVE-2022-24441: snyk Code Injection vulnerability

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI