Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.
CVSS Information
N/A
Vulnerability Type
动态管理代码资源的控制不恰当
Vulnerability Title
Eclipse Open VSX 安全漏洞
Vulnerability Description
Eclipse Open VSX是Eclipse开源的一个代码扩展的开源注册表。 Eclipse Open VSX存在安全漏洞,该漏洞源于CI作业缺少沙箱限制,可能导致服务账户接管。
CVSS Information
N/A
Vulnerability Type
N/A