CVE-2020-1192 — Improper Input Validation in Microsoft Python

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.8HIGHNVD

CNA8.8

EPSS

41.2%

top 2.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Python Microsoft Visual Studio Code

Timeline

PublishedMay 21

Latest updateMay 24

Description

A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads workspace settings from a notebook file, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1171.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5microsoft/visual_studio_codeunspecified

▶NVDmicrosoft/python< 2020.5.0

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-7c3q-gqj2-m85j: A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads workspace settings from a notebook file, aka 'Visua↗2022-05-24

▶

CVEList

CVE-2020-1192: A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads workspace settings from a notebook file, aka 'Visua↗2020-05-21

▶

📋Vendor Advisories

Microsoft

Visual Studio Code Python Extension Remote Code Execution Vulnerability↗2020-05-12

▶

💬Community

Bugzilla

CVE-2018-14434 ImageMagick: memory leak for a colormap in WriteMPCImage in coders/mpc.c↗2018-07-30

▶