admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-07 11:06:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#2774

Browse Source 
Auto-merge PR#2774
This commit is contained in:
CVE Team 2019-11-25 12:41:22 -05:00 committed by GitHub
commit 13cbb7a39c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 108 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
2019/16xxx/CVE-2019-16765.json Normal file
View File

@ -0,0 +1,108 @@
{
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2019-16765",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "vscode-codeql",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "< 1.0.1",
"version_value": "1.0.1"
}
]
}
}
]
},
"vendor_name": "github"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If an attacker can get a user to open a specially prepared directory tree as a workspace in Visual Studio Code with the CodeQL extension active, arbitrary code of the attacker's choosing may be executed on the user's behalf.\n\nThis is fixed in version 1.0.1 of the extension. Users should upgrade to this version using Visual Studio Code Marketplace's upgrade mechanism.\n\nAfter upgrading, the codeQL.cli.executablePath setting can only be set in the per-user settings, and not in the per-workspace settings. More information about VS Code settings can be found here."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-250 Execution with Unnecessary Privileges"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/github/vscode-codeql/security/advisories/GHSA-wf4x-8mpj-r42q",
"refsource": "CONFIRM",
"url": "https://github.com/github/vscode-codeql/security/advisories/GHSA-wf4x-8mpj-r42q"
},
{
"name": "https://github.com/github/vscode-codeql/pull/174",
"refsource": "MISC",
"url": "https://github.com/github/vscode-codeql/pull/174"
},
{
"name": "https://github.com/github/vscode-codeql/blob/v1.0.1/CHANGELOG.md",
"refsource": "MISC",
"url": "https://github.com/github/vscode-codeql/blob/v1.0.1/CHANGELOG.md"
}
]
},
"source": {
"advisory": "GHSA-wf4x-8mpj-r42q",
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "Manually review the workspace settings for any workspace obtained from an external source. These settings can be found in the .vscode/settings.json file within the workspace directory. Remove the configuration values for the codeQL.cli.executablePath, codeQL.cli.owner, and codeQL.cli.repository settings for the workspace.\n\nIf you wish to use the codeQL.cli.executablePath setting to indicate the location of a CodeQL CLI executable, then move this to your user settings, and check that you trust the configured path. You can access the user settings by choosing Preferences: Open User Settings from the Command Palette."
}
]
}