CVE-2022-22984
CVE-2022-22984 is a medium-severity vulnerability in Snyk Snyk Cli with a CVSS 3.x base score of 5.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-78.
Key facts
- Severity: Medium (CVSS 3.x base score 5.0)
- EPSS exploit prediction: 3% (86th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-78
- Affected product: Snyk Snyk Cli
- Published:
- Last modified:
Description
The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342). A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline. This issue has been addressed in the latest Snyk Docker images available at https://hub.docker.com/r/snyk/snyk as of 2022-11-29. Images downloaded and built prior to that date should be updated. The issue has also been addressed in the Snyk TeamCity CI/CD plugin as of version v20221130.093605.
Frequently asked questions
- What is CVE-2022-22984?
- The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342). A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline. This issue has been addressed in the latest Snyk Docker images available at https://hub.docker.com/r/snyk/snyk as of 2022-11-29. Images downloaded and built prior to that date should be updated. The issue has also been addressed in the Snyk TeamCity CI/CD plugin as of version v20221130.093605.
- How severe is CVE-2022-22984?
- CVE-2022-22984 has a CVSS 3.x base score of 5.0, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2022-22984 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (86th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-22984?
- CVE-2022-22984 primarily affects Snyk Snyk Cli. In total, 8 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-22984?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-22984 published?
- CVE-2022-22984 was published on 2022-11-30 and last updated on 2026-06-17.
References
- https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a
- https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381
- https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357
- https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009
- https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3
- https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50
- https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4
- https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437
- https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622
- https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679
- https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624
- https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623
- https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677
- https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626
- https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625
- https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680
- https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/
Affected products (8)
- cpe:2.3:a:snyk:snyk_cli:*:*:*:*:*:*:*:*
- cpe:2.3:a:snyk:snyk_cocoapods_cli:*:*:*:*:*:snyk:*:*
- cpe:2.3:a:snyk:snyk_docker_cli:*:*:*:*:*:snyk:*:*
- cpe:2.3:a:snyk:snyk_gradle_cli:*:*:*:*:*:snyk:*:*
- cpe:2.3:a:snyk:snyk_hex_cli:*:*:*:*:*:snyk:*:*
- cpe:2.3:a:snyk:snyk_maven_cli:*:*:*:*:*:snyk:*:*
- cpe:2.3:a:snyk:snyk_python_cli:*:*:*:*:*:snyk:*:*
- cpe:2.3:a:snyk:snyk_sbt_cli:*:*:*:*:*:snyk:*:*
More vulnerabilities in Snyk Snyk Cli
- CVE-2024-48964 — High (CVSS 7.5): The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The…
- CVE-2024-48963 — High (CVSS 7.5): The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted PHP project. The…
- CVE-2025-6624 — High (CVSS 7.2): Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through…
- CVE-2022-24441 — Medium (CVSS 5.8): The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can…
All CVEs affecting Snyk Snyk Cli →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…