Описание
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend upgrading to version 0.4.1 or above.
Ссылки
- Broken Link
- Third Party Advisory
- Broken Link
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 0.1.0 (включая) до 0.4.1 (исключая)
cpe:2.3:a:google:bazel:*:*:*:*:*:visual_studio:*:*
EPSS
Процентиль: 20%
0.00063
Низкий
8.2 High
CVSS3
7.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-73
CWE-668
EPSS
Процентиль: 20%
0.00063
Низкий
8.2 High
CVSS3
7.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-73
CWE-668