Описание
Visual Studio Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when Visual Studio fails to properly validate hardlinks while extracting archived files. An attacker who successfully exploited this vulnerability could overwrite arbitrary files in the security context of the local system.
To exploit this vulnerability, an attacker would need to trick an elevated user into downloading a malicious package, either by getting them to open a malicious project or convincing them to add a malicious package to an existing project.
The vulnerabilities were introduced by NPM packages used by Visual Studio and subsequently addressed via the following two NPM advisories:
Arbitrary File Overwrite - tar
Arbitrary File Overwrite - fstream
The update addresses the vulnerability by updating the NPM packages, which corrects how Visual Studio validates hardlinks during extraction of file archives.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) | ||
| Microsoft Visual Studio 2019 version 16.0 | ||
| Microsoft Visual Studio 2019 version 16.3 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
EPSS
Связанные уязвимости
An elevation of privilege vulnerability exists when Visual Studio fails to properly validate hardlinks while extracting archived files, aka 'Visual Studio Elevation of Privilege Vulnerability'.
An elevation of privilege vulnerability exists when Visual Studio fails to properly validate hardlinks while extracting archived files, aka 'Visual Studio Elevation of Privilege Vulnerability'.
Уязвимость пакетов node-tar и fstream средства разработки программного обеспечения Microsoft Visual Studio, позволяющая нарушителю изменить произвольные файлы
EPSS