Visual Studio Code Maven for Java Extension Remote Code Execution Vulnerability
• glitchnsec
CVE: CVE-2021-28472
CVSS3.1:
Vendor: Microsoft
CWEs:
CVSS3.1:
9.6, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vendor: Microsoft
CWEs:
- CWE-15: External Control of System or Configuration Setting
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- Maven for Java Extension for Visual Studio Code
Other Advisories:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28472
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28472
Description
This vulnerability is due to improper validation of maven.executable.options retrieved from settings.json when constructing a mvn command during extension activation.
Fixed Versions:
- Maven for Java 0.29.0
Disclosure Timeline
- 2021-03-15 - Vulnerability reported to ZDI
- 2021-03-17 - Vulnerability reported to vendor by ZDI
- 2021-04-13 - Coordinated public release of advisory