CVE-2022-22984

Name of the Vulnerable Software and Affected Versions snyk versions prior to 1.1064.0 snyk-mvn-plugin versions prior to 2.31.3 snyk-gradle-plugin versions prior to 3.24.5 @snyk/snyk-cocoapods-plugin versions prior to 2.5.3 snyk-sbt-plugin versions prior to 2.16.2 snyk-python-plugin versions prior to 1.24.2 snyk-docker-plugin versions prior to 5.6.5 @snyk/snyk-hex-plugin versions prior to 1.1.6

Description The issue allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. A successful exploit requires a user to execute the snyk test command on untrusted files. This could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline.

Recommendations For snyk versions prior to 1.1064.0, update to version 1.1064.0 or later. For snyk-mvn-plugin versions prior to 2.31.3, update to version 2.31.3 or later. For snyk-gradle-plugin versions prior to 3.24.5, update to version 3.24.5 or later. For @snyk/snyk-cocoapods-plugin versions prior to 2.5.3, update to version 2.5.3 or later. For snyk-sbt-plugin versions prior to 2.16.2, update to version 2.16.2 or later. For snyk-python-plugin versions prior to 1.24.2, update to version 1.24.2 or later. For snyk-docker-plugin versions prior to 5.6.5, update to version 5.6.5 or later. For @snyk/snyk-hex-plugin versions prior to 1.1.6, update to version 1.1.6 or later. As a temporary workaround, consider avoiding the execution of the snyk test command on untrusted files until the issue is resolved.