一、 漏洞 CVE-2022-22984 基础信息
漏洞标题
命令注入
来源:AIGC 神龙大模型
漏洞描述信息
以下软件包由于未完全修复[CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342)漏洞,存在命令注入漏洞:snyk 1.1064.0 之前的版本;snyk-mvn-plugin 2.31.3 之前的版本;snyk-gradle-plugin 3.24.5 之前的版本;@snyk/snyk-cocoapods-plugin 2.5.3 之前的版本;snyk-sbt-plugin 2.16.2 之前的版本;snyk-python-plugin 1.24.2 之前的版本;snyk-docker-plugin 5.6.5 之前的版本;@snyk/snyk-hex-plugin 1.1.6 之前的版本。成功利用该漏洞后,攻击者可以通过传递精心构造的命令行标志,在安装了 Snyk CLI 的主机系统上运行任意命令。为了利用此漏洞,用户需要在不受信任的文件上执行 snyk test 命令。在大多数情况下,能够控制 Snyk CLI 命令行参数的攻击者已经能够执行任意命令。然而,在特定场景中,如持续集成管道,开发人员可以控制传递给 Snyk CLI 的参数,利用这个组件作为更广泛攻击集成/构建管道的一部分,这可能被滥用。此问题已在2022年11月29日可用的最新 Snyk Docker 镜像中得到解决,可以从 https://hub.docker.com/r/snyk/snyk 下载。在此之前下载和构建的镜像应进行更新。此问题也在 Snyk TeamCity CI/CD 插件的 v20221130.093605 及更高版本中得到解决。
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
来源:AIGC 神龙大模型
漏洞类别
N/A
来源:AIGC 神龙大模型
漏洞标题
Command Injection
来源:美国国家漏洞数据库 NVD
漏洞描述信息
The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342). A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline. This issue has been addressed in the latest Snyk Docker images available at https://hub.docker.com/r/snyk/snyk as of 2022-11-29. Images downloaded and built prior to that date should be updated. The issue has also been addressed in the Snyk TeamCity CI/CD plugin as of version v20221130.093605.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Snyk CLI 操作系统命令注入漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Snyk CLI是美国Snyk公司的一个构建时工具,用于查找和修复项目中的已知漏洞。 Snyk CLI 1.1064.0之前版本、snyk-mvn-plugin 2.31.3之前版本、snyk-gradle-plugin 3.24.5之前版本、snyk-cocoapods-plugin 2.5.3之前版本、snyk-sbt-plugin 2.16.2之前版本、snyk-python-plugin 1.24.2之前版本、snyk-docker-plugin 5.6.5之前版本、snyk-hex-plugin
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
授权问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2022-22984 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2022-22984 的情报信息