CVE-2019-16765 : If an attacker can get a user to open a specially prepared directory tree as a workspace in Visual Studio Code with the

If an attacker can get a user to open a specially prepared directory tree as a workspace in Visual Studio Code with the CodeQL extension active, arbitrary code of the attacker's choosing may be executed on the user's behalf. This is fixed in version 1.0.1 of the extension. Users should upgrade to this version using Visual Studio Code Marketplace's upgrade mechanism. After upgrading, the codeQL.cli.executablePath setting can only be set in the per-user settings, and not in the per-workspace settings. More information about VS Code settings can be found here.

Published 2019-11-25 18:15:12

Updated 2021-10-28 13:02:26

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Directory traversal

Exploit prediction scoring system (EPSS) score for CVE-2019-16765

Probability of exploitation activity in the next 30 days: 0.12%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 45 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-16765

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.4	HIGH	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N	1.0	5.8	GitHub, Inc.
Attack Vector: Local Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2019-16765

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: security-advisories@github.com (Secondary)
CWE-250 Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2019-16765

https://github.com/github/vscode-codeql/pull/174

Change distribution settings to machine scope by henrymercer · Pull Request #174 · github/vscode-codeql · GitHub
Patch;Third Party Advisory
https://github.com/github/vscode-codeql/security/advisories/GHSA-wf4x-8mpj-r42q

Arbitrary code execution when opening a malicious workspace · Advisory · github/vscode-codeql · GitHub
Third Party Advisory
https://github.com/github/vscode-codeql/blob/v1.0.1/CHANGELOG.md

vscode-codeql/CHANGELOG.md at v1.0.1 · github/vscode-codeql · GitHub
Release Notes

Products affected by CVE-2019-16765

Microsoft » Codeql » For Visual Studio Code
Versions before (<) 1.0.1
cpe:2.3:a:microsoft:codeql:*:*:*:*:*:visual_studio_code:*:*
Matching versions

Vulnerability Details : CVE-2019-16765

Exploit prediction scoring system (EPSS) score for CVE-2019-16765

CVSS scores for CVE-2019-16765

CWE ids for CVE-2019-16765

References for CVE-2019-16765

Products affected by CVE-2019-16765