CVE-2022-40764
https://notcve.org/view.php?id=CVE-2022-40764
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957. Snyk CLI versiones anteriores a 1.996.0, permite una ejecución de comandos arbitraria, afectando a los plugins de Snyk IDE y al paquete snyk npm. • https://github.com/snyk/cli/releases/tag/v1.996.0 https://github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1 https://support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0 https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2016-10538
https://notcve.org/view.php?id=CVE-2016-10538
The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to. El paquete node-cli, en versiones anteriores a la 1.0.0, emplea de forma insegura lock_file y log_file. Ambos son temporales, pero permite que el usuario inicial sobrescriba cualquier archivo al que tenga acceso. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809252 https://github.com/node-js-libs/cli/issues/81 https://nodesecurity.io/advisories/95 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2007-4027
https://notcve.org/view.php?id=CVE-2007-4027
Buffer overflow in cli32 in Areca CLI 1.72.250 and earlier might allow local users to gain privileges via a long argument. NOTE: this program is not setuid by default, but there are some usage scenarios in which an administrator might make it setuid. Desbordamiento de búfer en el cli32 del Areca CLI 1.72.250 y versiones anteriores puede permitir a usuarios locales la obtención de privilegios mediante un argumento largo. NOTA: este programa no es de tipo setuid por defecto, pero hay algunos escenarios de uso, en los cuales el administrador puede hacerlo de este tipo. • http://osvdb.org/38999 http://securityreason.com/securityalert/2928 http://www.devtarget.org/areca-advisory-07-2007.txt http://www.securityfocus.com/archive/1/474415/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/35546 •