Published: 16/10/2020 Updated: 20/10/2020
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Microsoft Visual Studio Code could allow a remote malicious user to execute arbitrary code on the system, caused by improper input validation. By persuading a victim to open specially-crafted package.json file, an attacker could exploit this vulnerability to execute arbitrary code on the system with privileges of the victim.

Vulnerability Trend

Recent Articles

Microsoft issues two emergency Windows patches
welivesecurity • 19 Oct 2020

Microsoft has rushed out fixes for two security vulnerabilities affecting Microsoft Windows Codecs Library and Visual Studio Code. The security flaws are classified as Remote Code Execution (RCE) vulnerabilities and if successfully exploited could allow threat actors to take over an affected system entirely.
Both vulnerabilities hold a score of 7.8 on the Common Vulnerability Scoring System (CVSS) scale and are considered “important” by Microsoft. There seems to be no evidence to sug...

Microsoft Fixes RCE Flaws in Out-of-Band Windows Update
Threatpost • Lindsey O'Donnell • 16 Oct 2020

Microsoft has issued out-of-band patches for two “important” severity vulnerabilities, which if exploited could allow for remote code execution.
One flaw (CVE-2020-17023) exists in Microsoft’s Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux and macOS. The other (CVE-2020-17022) is in the Microsoft Windows Codecs Library; the codecs module provides stream and file interfaces for transcoding data in Windows programs.
“Microsoft has released...

Microsoft issues out-of-band Windows security updates for RCE bugs
BleepingComputer • Sergiu Gatlan • 16 Oct 2020

Microsoft has released two out-of-band security updates designed to address remote code execution (RCE) bugs found to affect Visual Studio Code and the Microsoft Windows Codecs Library.
The two vulnerabilities are tracked as CVE-2020-17022 and CVE-2020-17023, both of them being rated as important severity and marked as not being exploited in the wild.



The Register

In brief Just days after issuing fixes for scores of bugs in its products for this month's Patch Tuesday, Microsoft has issued two more patches for security holes that can be exploited by maliciously crafted files to run malware on victims' computers.
The first, CVE-2020-17023, is a Visual Studio issue that allows for remote code execution after getting the target to click on a specially crafted package.json file.
As for the second, CVE-2020-17022, that's a memory-handling bug in the...