CVE: CVE-2021-21420 - CVE-Search

CVE Details for CVE: CVE-2021-21420

Summary

vscode-stripe is an extension for Visual Studio Code. A vulnerability in Stripe for Visual Studio Code extension exists when it loads an untrusted source-code repository containing malicious settings. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. The update addresses the vulnerability by modifying the way the extension validates its settings.

Timestamps
Last major update	12-08-2022 - 18:02
Published	01-04-2021 - 22:15
Last modified	12-08-2022 - 18:02

References

https://github.com/stripe/vscode-stripe/security/advisories/GHSA-j6x4-4622-8vv3

Vulnerable Configurations

cpe:2.3:a:stripe:stripe:0.5.0:*:*:*:*:visual_studio_code:*:*
cpe:2.3:a:stripe:stripe:0.5.0:*:*:*:*:visual_studio_code:*:*
cpe:2.3:a:stripe:stripe:0.5.1:*:*:*:*:visual_studio_code:*:*
cpe:2.3:a:stripe:stripe:0.5.1:*:*:*:*:visual_studio_code:*:*
cpe:2.3:a:stripe:stripe:1.7.0:*:*:*:*:visual_studio_code:*:*
cpe:2.3:a:stripe:stripe:1.7.0:*:*:*:*:visual_studio_code:*:*
cpe:2.3:a:stripe:stripe:1.7.1:*:*:*:*:visual_studio_code:*:*
cpe:2.3:a:stripe:stripe:1.7.1:*:*:*:*:visual_studio_code:*:*
cpe:2.3:a:stripe:stripe:1.7.2:*:*:*:*:visual_studio_code:*:*
cpe:2.3:a:stripe:stripe:1.7.2:*:*:*:*:visual_studio_code:*:*

CAPEC

Click the CAPEC title to display a description

CWE

NVD-CWE-noinfo

CVSS

Base

6.8

Impact

6.4

Exploitability

8.6

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

CVSS3

Base

7.8

Impact

5.9

Exploitability

1.8

Access

Attack Complexity	Attack vector	Privileges Required	Scope	User Interaction
LOW	LOCAL	NONE	UNCHANGED	REQUIRED

Impact

Confidentiality	Integrity	Availability
HIGH	HIGH	HIGH

VIA4 references

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

cvss3-vector via4

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H