Skip to content

Information Disclosure Vulnerability

High
bpasero published GHSA-mmfh-4pv3-39hr May 9, 2023

Package

No package listed

Affected versions

1.78.0

Patched versions

1.78.1

Description

VS Code Information Disclosure Vulnerability

A information disclosure vulnerability exists in VS Code 1.78.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.

Patches

The fix is available starting with VS Code 1.78.1. It involved changes to VS Code as well as the node.js component that VS Code leverages for file system operations:
• the change in 6a995c4 introduces a new setting security.allowedUNCHosts and a related prompt confirming to open UNC paths on startup
• the change in https://gist.github.com/bpasero/f7cf27c531146267706786e56234b8d6 patches node.js 16.17.1 to throw an error when using UNC paths in file system operations that are not in a set of allowed hosts

Workarounds

Do not open workspaces or files on UNC paths. Do not open workspaces or files that contain UNC paths as text.

References

Severity

High

CVE ID

CVE-2023-29338

Weaknesses

No CWEs