this issue is independent of the one reported in [CVE-2022-40764](https://security.snyk.io/vulnerable/2022-40764) and is not related to a potential to obtain code execution through a malicious build file. The Snyk CLI and Snyk IDE plugin will report a warning if a project is scanned, but will continue to scan the project and display results for all findings. This may be confusing for users who have experienced the Code Injection vulnerability when scanning a project.

How to fix this issue?

When scanning a project, the Snyk CLI and Snyk IDE plugin will now emit a warning and continue to scan the project. This may be confusing for users who have experienced the Code Injection vulnerability when scanning a project.

References

* https://snyk.io/snyk-20180404-code-injection-vulnerability-remediation
* https://security.snyk.io/CVE-2022-40764

Detecting if a project has been identified as vulnerable or not

Due to the nature of the vulnerability, Code Injection is not detected by simply scanning a project. If a project has been reported as vulnerable and is not detected, you can use the Snyk CLI or Snyk IDE plugin to scan the project and report findings. If you are scanning a project that has been reported as vulnerable but is not detected, we've provided information on how this may be confusing for users in the "Detecting if a project has been identified as vulnerable or not" section of this blog post.

How does the Code Injection Vulnerability occur?

The Code Injection vulnerability occurs in the Snyk CLI and Snyk IDE plugin when those tools are scanning a codebase that has been modified to include malicious build files.
Snyk will continue to scan supposedly safe projects and report all findings.
This may be confusing for users who have experienced the Code Injection vulnerability when scanning a project.

Summary:

A new vulnerability has been identified in the Apache Maven build tool by the security researcher Iddo Moftah (@iedmoftah).
The vulnerability is not related to a potential to obtain code execution through a malicious build file. The Snyk CLI and Snyk IDE plugin will report a warning if a project is scanned, but will continue to scan the project and display results for all findings. This may be confusing for users who have experienced the Code Injection vulnerability when scanning a project.

Timeline

Published on: 11/30/2022 13:15:00 UTC
Last modified on: 12/02/2022 19:16:00 UTC

References