Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.3
CVSSv2

CVE-2020-17023

Published: 16/10/2020 Updated: 31/12/2023
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 828
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Visual Studio Code

Vulnerability Summary

<p>A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious 'package.json' file.</p> <p>The update address the vulnerability by modifying the way Visual Studio Code handles JSON files.</p>

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft visual studio code -

Github Repositories

https://github.com/sickcodes/no-sandbox

No Sandbox - Applications That Run Chromium and Chrome Without The Sandbox. TL;DR exploits in these browser based applications are already sandboxed escaped: https://no-sandbox.io/

No Sandbox "Applications That Run Chromium Without The Sandbox" Page: no-sandboxio/ Project: githubcom/sickcodes/no-sandbox Twitter: twittercom/sickcodes The Chrome browser uses a sandbox The sandbox status page is found in all Chromium based and Chrome applications: chrome://sandbox See your Chrome sandbox status: chrome://sandbox/ (Righ

Recent Articles

First, Patch Tuesday. Now, Oh Hell, Monday: Microsoft emits bonus fixes for Visual Studio, Windows 10 security bugs
The Register • Iain Thomson in San Francisco • 19 Oct 2020

Plus: A warning to SharePoint operators

In brief Just days after issuing fixes for scores of bugs in its products for this month's Patch Tuesday, Microsoft has issued two more patches for security holes that can be exploited by maliciously crafted files to run malware on victims' computers. The first, CVE-2020-17023, is a Visual Studio issue that allows for remote code execution after getting the target to click on a specially crafted package.json file. As for the second, CVE-2020-17022, that's a memory-handling bug in the Windows 10 ...

Read more...

References

NVD-CWE-noinfohttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17023https://nvd.nist.govhttps://github.com/sickcodes/no-sandboxhttps://www.theregister.co.uk/2020/10/19/security_in_brief/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook