CVE-2022-24441

Name of the Vulnerable Software and Affected Versions snyk versions prior to 1.1064.0 VS Code versions prior to 1.9.0 IntelliJ versions prior to 2.4.48 Visual Studio versions prior to 1.1.31 Eclipse versions prior to v20221115.132308 Language Server versions prior to v20221109.114426

Description The issue allows for Code Injection when analyzing a project. An attacker can include commands in a build file, such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This can be triggered when running the CLI tool directly or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation would likely require some level of social engineering to coerce an untrusted project to be downloaded and analyzed. If the IDE has a Trust feature, the target folder must be marked as ‘trusted’ to be vulnerable.

Recommendations For snyk versions prior to 1.1064.0, update to version 1.1064.0 or later. For VS Code versions prior to 1.9.0, update to version 1.9.0 or later. For IntelliJ versions prior to 2.4.48, update to version 2.4.48 or later. For Visual Studio versions prior to 1.1.31, update to version 1.1.31 or later. For Eclipse versions prior to v20221115.132308, update to a subsequent version. For Language Server versions prior to v20221109.114426, update to a subsequent version. As a temporary workaround, consider restricting the use of the Snyk CLI or IDE plugins to minimize the risk of exploitation. Avoid analyzing untrusted projects and ensure that only trusted folders are marked as such in the IDE.