CVE-2024-48964 — Vulnetix

CVE-2024-48964 PUBLISHED CVSS 7.5 HIGH

The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.

EPSS 0.14% · 33.3th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score

0.14%

33.3th percentile

Affected Products

Vendor	Product	Versions
npm	snyk-gradle-plugin	0
Snyk	Snyk Cli	0
snyk	snyk_gradle_plugin	0
Snyk	Snyk Gradle Plugin	0
snyk	snyk_cli	0
snyk	snyk_cli	0

Timeline

Oct 23, 2024 CVE Published
Oct 23, 2024 Coalition ESS Score
Oct 24, 2024 EPSS Score
Oct 25, 2024 Coalition ESS Score
Oct 30, 2024 Coalition ESS Score
Nov 11, 2024 EPSS Score
Nov 30, 2024 EPSS Score
Dec 19, 2024 EPSS Score
Jan 6, 2025 EPSS Score
Jan 25, 2025 EPSS Score
Feb 12, 2025 EPSS Score
Mar 2, 2025 EPSS Score

References

https://github.com/snyk/snyk-gradle-plugin/commit/2f5ee7579f00660282dd161a0b79690f4a9c865d url
https://nvd.nist.gov/vuln/detail/CVE-2024-48964 advisory
https://github.com/snyk/snyk-gradle-plugin package

Open in Interactive Console →