Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02OWY5LWg4ZjktN3ZqZs4ABAnP
OS Command Injection in Snyk php plugin
The Snyk php plugin is vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.
Permalink: https://github.com/advisories/GHSA-69f9-h8f9-7vjfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OWY5LWg4ZjktN3ZqZs4ABAnP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 28 days ago
Updated: 28 days ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-69f9-h8f9-7vjf, CVE-2024-48963
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-48963
- https://github.com/snyk/snyk-php-plugin/releases/tag/v1.10.0
- https://github.com/snyk/snyk-php-plugin/commit/9189f093b94f9ce51672f6919ffbc98171fd66d4
- https://github.com/advisories/GHSA-69f9-h8f9-7vjf
Blast Radius: 28.6
Affected Packages
npm:snyk-php-plugin
Dependent packages: 3Dependent repositories: 6,604
Downloads: 96,678 last month
Affected Version Ranges: < 1.10.0
Fixed in: 1.10.0
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4
All unaffected versions: 1.10.0