Miggo Logo
Miggo Vulnerability Database
CVE-2024-48964

CVE-2024-48964: OS Command Injection in Snyk gradle plugin

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-48964
GHSA ID
GHSA-qqqw-gm93-qf6m
EPSS Score
0.0821%
CWE
CWE-78
Published
10/23/2024
Updated
10/30/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
snyk-gradle-pluginnpm< 4.5.04.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) getCommand in lib/index.ts manually wrapped paths in quotes rather than using proper argument escaping, making it vulnerable to command termination characters in directory names. 2) sub-process.ts's execute() function used shell:true with quoteAll instead of escapeAll, failing to properly neutralize special characters. The patch fixed both by removing manual quoting, switching to escapeAll, and disabling shell execution. These functions directly handled untrusted input (directory paths) and were central to the command injection mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Snyk *r**l* plu*in is vuln*r**l* to *o** Inj**tion w**n s**nnin* *n untrust** *r**l* proj**t. T** vuln*r**ility **n ** tri***r** i* Snyk t*st is run insi** t** untrust** proj**t *u* to t** improp*r **n*lin* o* t** *urr*nt workin* *ir**tory n*m*.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) `**t*omm*n*` in `li*/in**x.ts` m*nu*lly wr*pp** p*t*s in quot*s r*t**r t**n usin* prop*r *r*um*nt *s**pin*, m*kin* it vuln*r**l* to *omm*n* t*rmin*tion ***r**t*rs in *ir**tory n*m*s. *) `su*-pro**ss.t