Skip to content

Information Disclosure Vulnerability

Moderate
mjbvz published GHSA-fj7x-w8c2-xx4c Oct 11, 2022

Package

No package listed

Affected versions

< 1.71.1

Patched versions

1.71.1

Description

An information disclosure vulnerability exists in VS Code 1.71 and earlier versions. If an attacker is able to run arbitrary scripts inside of a webview (either created by an extension or by core VS Code), the attacker could bypass the local resource roots check to read arbitrary files on the

Patches

The fix is available starting with VS Code 1.71.1. The fix mitigates this attack by performing input validation on the URL pointing to the repository to be cloned.

Workarounds

Only use webviews from extensions that follow proper security measures to block script injection

Do not disable VS Code's default security measures in the built-in markdown preview

References

Severity

Moderate

CVE ID

CVE-2022-41042

Weaknesses

No CWEs