CVE-2022-40764

Name of the Vulnerable Software and Affected Versions Snyk CLI versions prior to 1.996.0 snyk-go-plugin versions prior to 1.19.1 Snyk TeamCity plugin versions prior to 20220930.142957

Description The issue allows for arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could occur through the common practice of viewing untrusted files in the Visual Studio Code editor. The original demonstration involved shell metacharacters in the vendor.json ignore field.

Recommendations For Snyk CLI versions prior to 1.996.0, update to version 1.996.0 or later. For snyk-go-plugin versions prior to 1.19.1, update to version 1.19.1 or later. For Snyk TeamCity plugin versions prior to 20220930.142957, update to version 20220930.142957 or later. As a temporary workaround, consider restricting the use of the vendor.json ignore field until a patch is available.