Add CVE-2022-35975 for GHSA-873x-829r-gxcp

2025-08-04 08:44:25 +00:00 · 2022-08-18 17:53:18 +00:00 · 2022-08-18 17:53:18 +00:00 · 2b11b42c41
commit 2b11b42c41
parent feeff9e383
1 changed files with 71 additions and 6 deletions
--- a/2022/35xxx/CVE-2022-35975.json
+++ b/2022/35xxx/CVE-2022-35975.json
@ -1,18 +1,83 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-35975",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Improper object validation allows for arbitrary code execution in GitOps Tools Extension for VSCode"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "vscode-gitops-tools",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": ">= 0.7.0, <= 0.20.2"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "weaveworks"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "The GitOps Tools Extension for VSCode can make it easier to manage Flux objects. A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using the VSCode extension to manage clusters that are shared amongst other users are affected by this issue. The only safe mitigation is to update to the latest version of the extension."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 9.0,
+            "baseSeverity": "CRITICAL",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "LOW",
+            "scope": "CHANGED",
+            "userInteraction": "REQUIRED",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/weaveworks/vscode-gitops-tools/security/advisories/GHSA-873x-829r-gxcp",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/weaveworks/vscode-gitops-tools/security/advisories/GHSA-873x-829r-gxcp"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-873x-829r-gxcp",
+        "discovery": "UNKNOWN"
    }
 }