CVE-2021-28477 — Prototype Pollution in Microsoft Visual Studio Code

CWE-1321 — Prototype Pollution CWE-843 — Type Confusion6 documents6 sources

Severity

7.8HIGHNVD

CNA7.0GHSA7.5

EPSS

4.7%

top 10.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Visual Studio Code

Timeline

PublishedApr 13

Latest updateMay 24

Description

Visual Studio Code Remote Code Execution Vulnerability

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5microsoft/visual_studio_code1.0.0 — publication

▶NVDmicrosoft/visual_studio_code< 1.55.2

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-p4m7-8c9r-p5fg: Visual Studio Code Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-28457, CVE-2021-28469, CVE-2021-28473, CVE-2021-28475↗2022-05-24

▶

GHSA

Prototype Pollution in immer↗2021-09-02

▶

CVEList

Visual Studio Code Remote Code Execution Vulnerability↗2021-04-13

▶

📋Vendor Advisories

Red Hat

immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477↗2021-09-01

▶

Microsoft

Visual Studio Code Remote Code Execution Vulnerability↗2021-04-13

▶