Home

Description

The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.

PUBLISHED Reserved 2024-10-10 | Published 2024-10-23 | Updated 2024-10-24 | Assigner snyk




HIGH: 7.5CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Any version before 1.1294.0
affected

Any version before 4.5.0
affected

References

github.com/...ommit/2f5ee7579f00660282dd161a0b79690f4a9c865d

cve.org (CVE-2024-48964)

nvd.nist.gov (CVE-2024-48964)

Download JSON