Date: Wed, 13 Sep 2023 09:11:07 GMT From: Hiroki Tagato <tagattie@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 296cf69a5074 - main - security/vuxml: document vscode remote code execution vulnerability Message-ID: <202309130911.38D9B76j009606@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by tagattie: URL: https://cgit.FreeBSD.org/ports/commit/?id=296cf69a5074b78f23d78d1224375340d126bdad commit 296cf69a5074b78f23d78d1224375340d126bdad Author: Hiroki Tagato <tagattie@FreeBSD.org> AuthorDate: 2023-09-13 09:09:25 +0000 Commit: Hiroki Tagato <tagattie@FreeBSD.org> CommitDate: 2023-09-13 09:09:25 +0000 security/vuxml: document vscode remote code execution vulnerability Obtained from: https://github.com/microsoft/vscode/issues/192906 --- security/vuxml/vuln/2023.xml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 4899d98e6897..278f7fc243d9 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,32 @@ + <vuln vid="4bc66a81-89d2-4696-a04b-defd2eb77783"> + <topic>vscode -- VS Code Remote Code Execution Vulnerability</topic> + <affects> + <package> + <name>vscode</name> + <range><lt>1.82.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>VSCode developers report:</p> + <blockquote cite="https://github.com/microsoft/vscode/security/advisories/GHSA-r6q2-478f-5gmr">; + <p>Visual Studio Code Remote Code Execution Vulnerability</p> + <p>A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.</p> + <p>VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-36742</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-36742</url>; + <url>https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742</url>; + </references> + <dates> + <discovery>2023-09-12</discovery> + <entry>2023-09-13</entry> + </dates> + </vuln> + <vuln vid="8eefa87f-31f1-496d-bf8e-2b465b6e4e8a"> <topic>zeek -- potential DoS vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202309130911.38D9B76j009606>