Home > Vulnerability Database > CVE-2019-16765

Mend.io Vulnerability Database

CVE-2019-16765

Good to know:

Date: November 25, 2019

If an attacker can get a user to open a specially prepared directory tree as a workspace in Visual Studio Code with the CodeQL extension active, arbitrary code of the attacker's choosing may be executed on the user's behalf. This is fixed in version 1.0.1 of the extension. Users should upgrade to this version using Visual Studio Code Marketplace's upgrade mechanism. After upgrading, the codeQL.cli.executablePath setting can only be set in the per-user settings, and not in the per-workspace settings. More information about VS Code settings can be found here.

Language: TYPE_SCRIPT

Severity Score

7.8

Related Resources (5)

Url: https://github.com/github/vscode-codeql/security/advisories/GHSA-wf4x-8mpj-r42q

Url: https://github.com/github/vscode-codeql/blob/v1.0.1/CHANGELOG.md

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-16765

Url: https://github.com/github/vscode-codeql/pull/174

Url: https://www.mend.io/vulnerability-database/CVE-2019-16765

Severity Score

7.8

Weakness Type (CWE)

Input Validation

CWE-20

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version v1.0.1

Learn More

CVSS v3.1

Base Score:	7.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-16765

Good to know:

Date: November 25, 2019

Language: TYPE_SCRIPT

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?