Server-Side Request Forgery and Uncontrolled Resource Consumption in LemMinX
翻译中…平台
java
组件
org.eclipse.lemminx:lemminx-parent
修复版本
0.19.1
0.19.0
CVE-2022-0671 describes a critical Server-Side Request Forgery (SSRF) and Denial-of-Service (DoS) vulnerability discovered in the vscode-xml extension for Visual Studio Code. This flaw arises from the schema download functionality, where an attacker can potentially trigger a large file download, leading to resource exhaustion and denial of service, or exploit SSRF vulnerabilities. The vulnerability affects versions of the vscode-xml extension prior to 0.19.0. A fix is available in version 0.19.0.
检测此 CVE 是否影响你的项目
上传你的 pom.xml 文件,立即知道是否受影响。
影响与攻击场景翻译中…
The vulnerability allows an attacker to induce the vscode-xml extension to download a large file from an arbitrary URL. This can lead to a denial-of-service condition by consuming excessive network bandwidth and server resources. More concerningly, the SSRF aspect allows an attacker to potentially access internal resources that the VS Code instance has access to, bypassing security controls. This could involve reading sensitive configuration files, accessing internal APIs, or even interacting with other services within the network. The impact is amplified if the VS Code instance is running with elevated privileges or has access to sensitive data. While no direct exploitation has been publicly reported, the SSRF component presents a significant risk due to its potential for data exfiltration and lateral movement.
利用背景翻译中…
This CVE is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the SSRF component makes it a high-probability vulnerability. The vulnerability was disclosed on 2022-02-19. The potential for SSRF exploitation warrants careful attention, particularly in environments where VS Code instances have access to sensitive internal resources.
哪些人处于风险中翻译中…
Developers and organizations using the vscode-xml extension in Visual Studio Code are at risk. This includes teams working with XML-based projects, particularly those who rely on schema validation or automatic schema downloads. Shared hosting environments where multiple users share a single VS Code instance are also at increased risk, as a compromised user could potentially exploit the vulnerability to impact other users.
检测步骤翻译中…
• windows / supply-chain: Monitor VS Code processes (code.exe) for unusual network connections using Get-Process | Where-Object {$_.ProcessName -eq 'code'}. Check for suspicious entries in the VS Code extension directory (typically %USERPROFILE%/.vscode/extensions) for modified or unexpected files.
Get-Process | Where-Object {$_.ProcessName -eq 'code'} | Select-Object Name, Id, CPU, WorkingSet• linux / server: Monitor VS Code processes (code) using ps aux | grep code. Examine system logs (e.g., /var/log/syslog) for errors related to schema downloads or network connections originating from the VS Code process.
ps aux | grep code• generic web: Monitor VS Code instances for outbound HTTP requests to unusual or unexpected domains. Examine VS Code's network traffic using tools like Wireshark or tcpdump for suspicious patterns.
攻击时间线
- Disclosure
disclosure
- Patch
patch
威胁情报
漏洞利用状态
EPSS
0.38% (60% 百分位)
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 高 — 完全丧失机密性,攻击者可读取所有数据。
- Integrity
- 无 — 无完整性影响。
- Availability
- 高 — 完全崩溃或资源耗尽,完全拒绝服务。
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2022-0671 is to immediately upgrade the vscode-xml extension to version 0.19.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the schema download functionality within the extension's settings. Network-level controls, such as a Web Application Firewall (WAF), can be configured to block requests to suspicious URLs or limit the size of downloaded files. Monitor VS Code instances for unusual network activity or resource consumption. After upgrading, confirm the fix by attempting to trigger a schema download from a known-safe URL and verifying that the download completes without errors or excessive resource usage.
修复方法翻译中…
Actualice el plugin vscode-xml a la versión 0.19.0 o superior. Esta actualización corrige la vulnerabilidad SSRF y DoS. Puede actualizar el plugin a través del marketplace de Visual Studio Code.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2022-0671 — SSRF/DoS in VS Code XML Extension?
CVE-2022-0671 is a critical SSRF and DoS vulnerability in the vscode-xml extension for Visual Studio Code, allowing attackers to trigger large file downloads and potentially access internal resources.
Am I affected by CVE-2022-0671 in VS Code XML Extension?
You are affected if you are using the vscode-xml extension in Visual Studio Code prior to version 0.19.0.
How do I fix CVE-2022-0671 in VS Code XML Extension?
Upgrade the vscode-xml extension to version 0.19.0 or later. Temporarily disable schema downloads if upgrading is not immediately possible.
Is CVE-2022-0671 being actively exploited?
While no direct exploitation has been publicly reported, the SSRF component presents a significant risk and warrants careful attention.
Where can I find the official VS Code advisory for CVE-2022-0671?
Refer to the vscode-xml extension's release notes and the VS Code security advisories for details: https://github.com/microsoft/vscode-xml/releases/tag/0.19.0