SB2020051232 - Multiple vulnerabilities in MIcrosoft Visual Studio Code Python Extension

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020051232

SB2020051232 - Multiple vulnerabilities in MIcrosoft Visual Studio Code Python Extension

Published: May 12, 2020

Security Bulletin ID SB2020051232
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2020-1192)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the Visual Studio Code when the Python extension loads workspace settings from a notebook file. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code in the context of the current user.


2) Input validation error (CVE-ID: CVE-2020-1171)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the Visual Studio Code when the Python extension loads configuration files after opening a project. A remote attacker can trick a victim to clone a repository and open it in Visual Studio Code with the Python extension installed.

Attacker-specified code would execute when the target opened the integrated terminal.


Remediation

Install update from vendor's website.

References