Code Injection Affecting org.webjars.npm:snyk-gradle-plugin package, versions [0,]
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSNPM-8309100
- published 29 Oct 2024
- disclosed 23 Oct 2024
- credit Unknown
Introduced: 23 Oct 2024
New CVE-2024-48964 Open this link in a new tabHow to fix?
A fix was pushed into the master
branch but not yet published.
Overview
org.webjars.npm:snyk-gradle-plugin is a plugin for the Snyk CLI tool, providing dependency metadata for Gradle projects.
Affected versions of this package are vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.
Note:
This is only a plugin to be used with the Snyk CLI tool. Considering that the user has to use Snyk CLI to run Snyk Test on a specific gradle project, the attack complexity of this vulnerability is High.