Описание
Agentic AI and Visual Studio Code Remote Code Execution Vulnerability
Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code CoPilot Chat Extension allows an unauthorized attacker to execute code over a network.
FAQ
According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?
A remote (AV:N) attacker could create a specially crafted GitHub issue within a user's repository. To exploit this, the user must enable a particular mode on the attacker’s crafted issue, which would execute the issue’s description and enable remote code execution by the attacker.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Visual Studio Code CoPilot Chat Extension |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
EPSS
8.8 High
CVSS3
Связанные уязвимости
Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code CoPilot Chat Extension allows an unauthorized attacker to execute code over a network.
Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code CoPilot Chat Extension allows an unauthorized attacker to execute code over a network.
Уязвимость программного обеспечения Microsoft Visual Studio Code CoPilot Chat Extension, связанная с непринятием мер по очистке данных на управляющем уровне, позволяющая нарушителю выполнить произвольный код
EPSS
8.8 High
CVSS3