CVE-2024-48964

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: Oct 23, 2024 / Updated: 27d ago

010
CVSS 7.5EPSS 0.04%High
CVE info copied to clipboard

Summary

The Snyk CLI package versions prior to 1.1294.0 contain a vulnerability that allows for Code Injection when scanning an untrusted Gradle project. This vulnerability can be triggered if the 'Snyk test' command is executed within an untrusted project due to improper handling of the current working directory name.

Impact

If exploited, this vulnerability could allow an attacker to inject and execute arbitrary code on the system running the Snyk CLI. This could lead to unauthorized access, data theft, or further compromise of the affected system. The vulnerability is particularly dangerous in scenarios where the Snyk CLI is used to scan untrusted or potentially malicious projects, as it could turn a security tool into an attack vector.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in Snyk CLI version 1.1294.0 and later.

Mitigation

1. Update Snyk CLI to version 1.1294.0 or later immediately. 2. Only scan trusted projects with Snyk CLI. 3. If scanning untrusted projects is necessary, do so in a isolated, sandboxed environment. 4. Implement strict access controls and monitoring for systems where Snyk CLI is used. 5. Regularly review and update security practices around the use of code scanning tools.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48964

Oct 23, 2024 at 7:15 PM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 23, 2024 at 7:21 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-48964. See article

Oct 23, 2024 at 7:22 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 23, 2024 at 7:22 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 23, 2024 at 9:30 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5001321)

Oct 24, 2024 at 5:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.4%)

Oct 24, 2024 at 9:50 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (6246646)

Oct 25, 2024 at 7:53 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 25, 2024 at 1:00 PM / nvd
Static CVE Timeline Graph

Affected Systems

Snyk/snyk_cli
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

Vendor Advisory

[GHSA-qqqw-gm93-qf6m] OS Command Injection in Snyk gradle plugin
GitHub Security Advisory: GHSA-qqqw-gm93-qf6m Release Date: 2024-10-23 Update Date: 2024-10-23 Severity: High CVE-2024-48964 Package Information Package: snyk-gradle-plugin Affected Versions: Patched Versions: 4.5.0 Description The Snyk gradle plugin is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.

News

Snyk CLI Vulnerability: Beware of Code Injection in Untrusted Projects (CVE-2024-48964)
– Snyk CLI versions before 1.1294.0 are susceptible to code injection when scanning untrusted Gradle projects. Stay updated: Keep your development tools, including Snyk CLI, updated with the latest security patches.
v1.1294.0
Fix for security issue The Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted (PHP|Gradle) project. CycloneDX 1.6 SBOM support This new version now supports generating CycloneDX 1.6 SBOMs using the command, providing you with more comprehensive and detailed information about your software components and their dependencies.
CVE Alert: CVE-2024-48964 - https://www.redpacketsecurity.com/cve_alert_cve-2024-48964/ #OSINT #ThreatIntel #CyberSecurity #cve_2024_48964
CVE Alert: CVE-2024-48964 - redpacketsecurity.com/cve_al… #OSINT #ThreatIntel #CyberSecurity #cve_2024_48964
CVE Alert: CVE-2024-48964 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-48964/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_48964
CVE Alert: CVE-2024-48964
Snyk recommends only scanning trusted projects. The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project.
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI