Platform
java
Component
org.eclipse.lemminx:lemminx-parent
Fixed in
0.19.1
0.19.0
CVE-2022-0671 describes a critical Server-Side Request Forgery (SSRF) and Denial-of-Service (DoS) vulnerability discovered in the vscode-xml extension for Visual Studio Code. This flaw arises from the schema download functionality, where an attacker can potentially trigger a large file download, leading to resource exhaustion and denial of service, or exploit SSRF vulnerabilities. The vulnerability affects versions of the vscode-xml extension prior to 0.19.0. A fix is available in version 0.19.0.
The vulnerability allows an attacker to induce the vscode-xml extension to download a large file from an arbitrary URL. This can lead to a denial-of-service condition by consuming excessive network bandwidth and server resources. More concerningly, the SSRF aspect allows an attacker to potentially access internal resources that the VS Code instance has access to, bypassing security controls. This could involve reading sensitive configuration files, accessing internal APIs, or even interacting with other services within the network. The impact is amplified if the VS Code instance is running with elevated privileges or has access to sensitive data. While no direct exploitation has been publicly reported, the SSRF component presents a significant risk due to its potential for data exfiltration and lateral movement.
This CVE is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the SSRF component makes it a high-probability vulnerability. The vulnerability was disclosed on 2022-02-19. The potential for SSRF exploitation warrants careful attention, particularly in environments where VS Code instances have access to sensitive internal resources.
Exploit Status
EPSS
0.38% (60% percentile)
CVSS Vector
The primary mitigation for CVE-2022-0671 is to immediately upgrade the vscode-xml extension to version 0.19.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the schema download functionality within the extension's settings. Network-level controls, such as a Web Application Firewall (WAF), can be configured to block requests to suspicious URLs or limit the size of downloaded files. Monitor VS Code instances for unusual network activity or resource consumption. After upgrading, confirm the fix by attempting to trigger a schema download from a known-safe URL and verifying that the download completes without errors or excessive resource usage.
Update the vscode-xml plugin to version 0.19.0 or higher. This update fixes the SSRF (Server-Side Request Forgery) and DoS (Denial of Service) vulnerability. You can update the plugin through the Visual Studio Code marketplace.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0671 is a critical SSRF and DoS vulnerability in the vscode-xml extension for Visual Studio Code, allowing attackers to trigger large file downloads and potentially access internal resources.
You are affected if you are using the vscode-xml extension in Visual Studio Code prior to version 0.19.0.
Upgrade the vscode-xml extension to version 0.19.0 or later. Temporarily disable schema downloads if upgrading is not immediately possible.
While no direct exploitation has been publicly reported, the SSRF component presents a significant risk and warrants careful attention.
Refer to the vscode-xml extension's release notes and the VS Code security advisories for details: https://github.com/microsoft/vscode-xml/releases/tag/0.19.0
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.