Lucene search

GitHub_MCVELIST:CVE-2022-35975

HistoryAug 18, 2022 - 5:55 p.m.

CVE-2022-35975 Improper object validation allows for arbitrary code execution in GitOps Tools Extension for VSCode

2022-08-1817:55:08

CWE-78

GitHub_M

www.cve.org

cve-2022-35975

arbitrary code execution

gitops tools extension

vscode

flux objects

remote code execution

shared clusters

extension update

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.005

Percentile

77.2%

JSON

The GitOps Tools Extension for VSCode can make it easier to manage Flux objects. A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using the VSCode extension to manage clusters that are shared amongst other users are affected by this issue. The only safe mitigation is to update to the latest version of the extension.

CNA Affected

[
  {
    "product": "vscode-gitops-tools",
    "vendor": "weaveworks",
    "versions": [
      {
        "status": "affected",
        "version": ">= 0.7.0, <= 0.20.2"
      }
    ]
  }
]

References

github.com/weaveworks/vscode-gitops-tools/security/advisories/GHSA-873x-829r-gxcp

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.005

Percentile

77.2%

JSON

Related for CVELIST:CVE-2022-35975