MidnightBSD

Advisories for snyk

CVE-2019-3800 LOW

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,CWE-200,

Products Affected

Vendor Product Version
forgerock service_broker *
wavefront wavefront_by_vmware_nozzle *
pivotal metric_registrar_release *
sumologic nozzle *
appdynamics application_performance_monitoring *
pagerduty service_broker *
pivotal cloud_foundry_deployment *
pivotal cloud_foundry_log_cache_release *
dynatrace service_broker *
samba volume_service *
apigee edge_service_broker *
pivotal pivotal_cloud_foundry_service_broker *
appdynamics platform_montioring *
riverbed steelcentral_appinternals *
anynines logme *
tibco businessworks_buildpack *
newrelic nozzle *
pivotal cloud_foundry_routing_release *
pivotal on_demand_service_broker *
newrelic dotnet_extension_buildpack *
anynines postgresql *
datastax enterprise_service_broker *
anynines rabbitmq *
microsoft azure_service_broker *
splunk nozzle *
datadoghq application_monitoring *
pivotal cloud_foundry_healthwatch *
contrastsecurity service_broker *
cyberark conjur_service_broker *
newrelic service_broker *
bluemedora nozzle *
pivotal cloud_foundry_autoscaling_release *
pivotal cloud_foundry_command_line_interface *
pivotal cloud_foundry_networking_release *
appdynamics application_analytics *
pivotal cloud_foundry_notifications *
signalsciences service_broker *
ibm websphere_liberty_ *
pivotal cloud_foundry_command_line_interface_release *
pivotal single_sign-on *
pivotal application_service *
anynines mysql *
anynines redis *
solace pubsub+ *
pivotal cloud_foundry_event_alerts *
snyk service_broker *
microsoft azure_log_analytics_nozzle *
anynines elasticsearch *
pivotal credhub_service_broker_for_pcf *
pivotal cloud_foundry_deployment_concourse_tasks *
google google_cloud_platform_service_broker *
pivotal cloud_foundry_smoke_test *
yugabyte db_enterprise *
synopsys seeker_iast_service_broker *
anynines mongodb *
CVE-2020-7649

This affects the package snyk-broker before 4.73.0. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6
report@snyk.io 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
snyk broker *
CVE-2022-22984

The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342). A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline. This issue has been addressed in the latest Snyk Docker images available at https://hub.docker.com/r/snyk/snyk as of 2022-11-29. Images downloaded and built prior to that date should be updated. The issue has also been addressed in the Snyk TeamCity CI/CD plugin as of version v20221130.093605.

Products Affected

Vendor Product Version
snyk snyk_gradle_cli *
snyk snyk_hex_cli *
snyk snyk_python_cli *
snyk snyk_cli *
snyk snyk_cocoapods_cli *
snyk snyk_sbt_cli *
snyk snyk_docker_cli *
snyk snyk_maven_cli *
CVE-2022-24441

The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable. **NOTE:** This issue is independent of the one reported in [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342), and upgrading to a fixed version for this addresses that issue as well. The affected IDE plugins and versions are: - VS Code - Affected: <=1.8.0, Fixed: 1.9.0 - IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48 - Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31 - Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions - Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions

Products Affected

Vendor Product Version
snyk snyk_language_server *
snyk snyk_security *
snyk snyk_cli *
CVE-2022-40764

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
snyk cli *
snyk golang_cli *
CVE-2023-1065

This vulnerability in the Snyk Kubernetes Monitor can result in irrelevant data being posted to a Snyk Organization, which could in turn obfuscate other, relevant, security issues. It does not expose the user of the integration to any direct security risk and no user data can be leaked. To exploit the vulnerability the attacker does not need to be authenticated to Snyk but does need to know the target's Integration ID (which may or may not be the same as the Organization ID, although this is an unpredictable UUID in either case).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
report@snyk.io 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5

Products Affected

Vendor Product Version
snyk kubernetes_monitor *
CVE-2023-1767

The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
report@snyk.io 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
snyk advisor *
CVE-2024-48963

The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
report@snyk.io 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

Products Affected

Vendor Product Version
snyk snyk_cli *
CVE-2024-48964

The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
report@snyk.io 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

Products Affected

Vendor Product Version
snyk snyk_cli *
CVE-2025-6624

Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI in DEBUG or DEBUG/TRACE mode. The issue affects the following Snyk commands: 1. When snyk container test or snyk container monitor commands are run against a container registry, with debug mode enabled, the container registry credentials may be written into the local Snyk CLI debug log. This only happens with credentials specified in environment variables (SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD), or in the CLI (--password/-p and --username/-u). 2. When snyk auth command is executed with debug mode enabled AND the log level is set to TRACE, the Snyk access / refresh credential tokens used to connect the CLI to Snyk may be written into the local CLI debug logs. 3. When snyk iac test is executed with a Remote IAC Custom rules bundle, debug mode enabled, AND the log level is set to TRACE, the docker registry token may be written into the local CLI debug logs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
report@snyk.io 7.2 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 0.6 6.0

Products Affected

Vendor Product Version
snyk snyk_cli *