Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
vscode-spell-checker has a workspace-trust bypass Code Execution
Vulnerability Description
vscode-spell-checker is a basic spell checker that works well with code and documents. Prior to v4.5.4, DocumentSettings._determineIsTrusted treats the configuration value cSpell.trustedWorkspace as the authoritative trust flag. The value defaults to true (package.json) and is read from workspace configuration each time settings are fetched. The code coerces any truthy value to true and forwards it to ConfigLoader.setIsTrusted , which in turn allows JavaScript/TypeScript configuration files ( .cspell.config.js/.mjs/.ts , etc.) to be located and executed. Because no VS Code workspace-trust state is consulted, an untrusted workspace can keep the flag true and place a malicious .cspell.config.js ; opening the workspace causes the extension host to execute attacker-controlled Node.js code with the user’s privileges. This vulnerability is fixed in v4.5.4.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
缺省权限不正确
Vulnerability Title
Spelling Checker for Visual Studio Code 安全漏洞
Vulnerability Description
Spelling Checker for Visual Studio Code是Street Side Software开源的一个简单的源代码拼写检查器。 Spelling Checker for Visual Studio Code v4.5.4之前版本存在安全漏洞,该漏洞源于配置信任标志处理不当,可能导致不受信任的工作空间执行攻击者控制的Node.js代码。
CVSS Information
N/A
Vulnerability Type
N/A