Vulnerabilities > CVE-2019-1414 - Unspecified vulnerability in Microsoft Visual Studio Code

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

microsoft

nessus

NVD

Published: 2020-01-24

Updated: 2020-08-24

Summary

An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer, aka 'Visual Studio Code Elevation of Privilege Vulnerability'.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Visual Studio Code - Microsoft Visual Studio Code 0.0.3 Microsoft Visual Studio Code 0.0.4 Microsoft Visual Studio Code 0.1.0 Microsoft Visual Studio Code 0.1.1 Microsoft Visual Studio Code 0.1.2 Microsoft Visual Studio Code 0.1.3 Microsoft Visual Studio Code 0.2.0 Microsoft Visual Studio Code 0.2.1 Microsoft Visual Studio Code 0.2.2 Microsoft Visual Studio Code 0.2.3 Microsoft Visual Studio Code 0.2.4 Microsoft Visual Studio Code 0.2.5 Microsoft Visual Studio Code 0.2.6 Microsoft Visual Studio Code 0.2.7 Microsoft Visual Studio Code 0.2.8 Microsoft Visual Studio Code 0.2.9 Microsoft Visual Studio Code 0.3.0 Microsoft Visual Studio Code 0.3.3 Microsoft Visual Studio Code 0.3.4 Microsoft Visual Studio Code 0.3.5 Microsoft Visual Studio Code 0.3.6 Microsoft Visual Studio Code 0.3.7 Microsoft Visual Studio Code 0.3.8 Microsoft Visual Studio Code 0.3.9 Microsoft Visual Studio Code 0.3.10 Microsoft Visual Studio Code 0.3.11 Microsoft Visual Studio Code 0.3.12 Microsoft Visual Studio Code 0.3.13 Microsoft Visual Studio Code 0.3.14 Microsoft Visual Studio Code 0.3.15 Microsoft Visual Studio Code 0.3.18 Microsoft Visual Studio Code 0.3.19 Microsoft Visual Studio Code 0.3.20 Microsoft Visual Studio Code 0.3.21 Microsoft Visual Studio Code 0.3.22 Microsoft Visual Studio Code 0.3.23 Microsoft Visual Studio Code 0.3.24 Microsoft Visual Studio Code 0.4.0 Microsoft Visual Studio Code 0.4.1 Microsoft Visual Studio Code 0.4.2 Microsoft Visual Studio Code 0.5.0 Microsoft Visual Studio Code 0.5.1 Microsoft Visual Studio Code 0.5.2 Microsoft Visual Studio Code 0.5.3 Microsoft Visual Studio Code 0.5.4 Microsoft Visual Studio Code 0.5.6 Microsoft Visual Studio Code 0.5.7 Microsoft Visual Studio Code 0.5.8 Microsoft Visual Studio Code 0.5.9 Microsoft Visual Studio Code 0.6.5 Microsoft Visual Studio Code 0.6.9 Microsoft Visual Studio Code 0.7.0 Microsoft Visual Studio Code 0.8.0 Microsoft Visual Studio Code 0.9.0 Microsoft Visual Studio Code 0.9.1 Microsoft Visual Studio Code 0.10.1 Microsoft Visual Studio Code 0.10.2 Microsoft Visual Studio Code 0.10.3 Microsoft Visual Studio Code 0.10.5 Microsoft Visual Studio Code 0.10.6 Microsoft Visual Studio Code 0.10.8 Microsoft Visual Studio Code 0.10.9 Microsoft Visual Studio Code 0.10.10 Microsoft Visual Studio Code 0.10.11 Microsoft Visual Studio Code 0.11.0 Microsoft Visual Studio Code 0.11.1 Microsoft Visual Studio Code 0.11.2 Microsoft Visual Studio Code 0.11.3 Microsoft Visual Studio Code 0.12.0 Microsoft Visual Studio Code 0.12.1 Microsoft Visual Studio Code 0.13.0 Microsoft Visual Studio Code 0.14.0 Microsoft Visual Studio Code 0.14.1 Microsoft Visual Studio Code 0.14.2 Microsoft Visual Studio Code 0.15.0 Microsoft Visual Studio Code 0.15.1 Microsoft Visual Studio Code 0.15.2 Microsoft Visual Studio Code 0.16.0 Microsoft Visual Studio Code 0.16.1 Microsoft Visual Studio Code 0.16.2 Microsoft Visual Studio Code 0.17.0 Microsoft Visual Studio Code 0.17.1 Microsoft Visual Studio Code 0.18.0 Microsoft Visual Studio Code 0.18.1 Microsoft Visual Studio Code 0.18.2 Microsoft Visual Studio Code 0.19.0 Microsoft Visual Studio Code 0.19.1 Microsoft Visual Studio Code 0.20.0 Microsoft Visual Studio Code 0.20.1 Microsoft Visual Studio Code 0.20.2 Microsoft Visual Studio Code 0.21.0 Microsoft Visual Studio Code 0.21.1 Microsoft Visual Studio Code 0.21.2 Microsoft Visual Studio Code 0.21.3 Microsoft Visual Studio Code 0.21.4 Microsoft Visual Studio Code 0.22.0 Microsoft Visual Studio Code 0.23.0 Microsoft Visual Studio Code 0.24.0 Microsoft Visual Studio Code 0.24.1 Microsoft Visual Studio Code 1.0.0 Microsoft Visual Studio Code 1.1.0 Microsoft Visual Studio Code 1.1.1 Microsoft Visual Studio Code 1.2 Microsoft Visual Studio Code 1.2.1 Microsoft Visual Studio Code 1.3 Microsoft Visual Studio Code 1.3.1 Microsoft Visual Studio Code 1.4 Microsoft Visual Studio Code 1.5 Microsoft Visual Studio Code 1.5.1 Microsoft Visual Studio Code 1.5.2 Microsoft Visual Studio Code 1.5.3 Microsoft Visual Studio Code 1.6 Microsoft Visual Studio Code 1.6.1 Microsoft Visual Studio Code 1.7 Microsoft Visual Studio Code 1.7.1 Microsoft Visual Studio Code 1.7.2 Microsoft Visual Studio Code 1.8 Microsoft Visual Studio Code 1.8.1 Microsoft Visual Studio Code 1.9 Microsoft Visual Studio Code 1.9.1 Microsoft Visual Studio Code 1.10 Microsoft Visual Studio Code 1.10.1 Microsoft Visual Studio Code 1.10.2 Microsoft Visual Studio Code 1.11 Microsoft Visual Studio Code 1.11.1 Microsoft Visual Studio Code 1.11.2 Microsoft Visual Studio Code 1.12 Microsoft Visual Studio Code 1.12.1 Microsoft Visual Studio Code 1.12.2 Microsoft Visual Studio Code 1.13 Microsoft Visual Studio Code 1.13.1 Microsoft Visual Studio Code 1.14 Microsoft Visual Studio Code 1.14.1 Microsoft Visual Studio Code 1.14.2 Microsoft Visual Studio Code 1.15 Microsoft Visual Studio Code 1.15.1 Microsoft Visual Studio Code 1.16 Microsoft Visual Studio Code 1.16.1 Microsoft Visual Studio Code 1.17 Microsoft Visual Studio Code 1.17.1 Microsoft Visual Studio Code 1.17.2 Microsoft Visual Studio Code 1.18 Microsoft Visual Studio Code 1.18.1 Microsoft Visual Studio Code 1.19 Microsoft Visual Studio Code 1.19.1 Microsoft Visual Studio Code 1.19.2 Microsoft Visual Studio Code 1.19.3 Microsoft Visual Studio Code 1.20 Microsoft Visual Studio Code 1.20.1 Microsoft Visual Studio Code 1.21 Microsoft Visual Studio Code 1.21.1 Microsoft Visual Studio Code 1.22 Microsoft Visual Studio Code 1.22.1 Microsoft Visual Studio Code 1.22.2 Microsoft Visual Studio Code 1.23 Microsoft Visual Studio Code 1.23.1 Microsoft Visual Studio Code 1.24 Microsoft Visual Studio Code 1.24.1 Microsoft Visual Studio Code 1.25 Microsoft Visual Studio Code 1.25.1 Microsoft Visual Studio Code 1.26 Microsoft Visual Studio Code 1.26.1 Microsoft Visual Studio Code 1.27 Microsoft Visual Studio Code 1.27.1 Microsoft Visual Studio Code 1.27.2 Microsoft Visual Studio Code 1.28 Microsoft Visual Studio Code 1.28.1 Microsoft Visual Studio Code 1.28.2 Microsoft Visual Studio Code 1.29 Microsoft Visual Studio Code 1.29.1 Microsoft Visual Studio Code 1.30 Microsoft Visual Studio Code 1.30.1 Microsoft Visual Studio Code 1.30.2 Microsoft Visual Studio Code 1.31 Microsoft Visual Studio Code 1.31.1 Microsoft Visual Studio Code 1.32 Microsoft Visual Studio Code 1.32.1 Microsoft Visual Studio Code 1.32.2 Microsoft Visual Studio Code 1.32.3 Microsoft Visual Studio Code 1.33 Microsoft Visual Studio Code 1.33.1 Microsoft Visual Studio Code 1.34 Microsoft Visual Studio Code 1.35 Microsoft Visual Studio Code 1.35.1 Microsoft Visual Studio Code 1.36 Microsoft Visual Studio Code 1.36.1 Microsoft Visual Studio Code 1.37 Microsoft Visual Studio Code 1.37.1 Microsoft Visual Studio Code 1.38 Microsoft Visual Studio Code 1.38.1	191

Nessus

NASL family	Windows
NASL id	SMB_NT_MS19_OCT_VISUAL_STUDIO_CODE_OOB.NASL
description	The version of Microsoft Visual Studio Code installed on the remote Windows host is prior to 1.39.1. It is, therefore, affected by the following vulnerability: - An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer. A local attacker who successfully exploited the vulnerability could inject arbitrary code to run in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
last seen	2020-03-18
modified	2019-11-26
plugin id	131318
published	2019-11-26
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131318
title	Security Update for Microsoft Visual Studio Code (CVE-2019-1414)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the Microsoft Security Updates API. The text # itself is copyright (C) Microsoft Corporation. # include('compat.inc'); if (description) { script_id(131318); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/27"); script_cve_id("CVE-2019-1414"); script_name(english:"Security Update for Microsoft Visual Studio Code (CVE-2019-1414)"); script_summary(english:"Checks for Microsoft security updates."); script_set_attribute(attribute:"synopsis", value: "The remote host has an application installed that is missing a security update."); script_set_attribute(attribute:"description", value: "The version of Microsoft Visual Studio Code installed on the remote Windows host is prior to 1.39.1. It is, therefore, affected by the following vulnerability: - An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer. A local attacker who successfully exploited the vulnerability could inject arbitrary code to run in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."); script_set_attribute(attribute:"see_also", value:"https://code.visualstudio.com/updates/v1_39"); # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1414 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8d9ef742"); script_set_attribute(attribute:"solution", value: "Upgrade to Microsoft Visual Studio Code 1.39.1 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1414"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/17"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/26"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio_code"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("microsoft_visual_studio_code_installed.nbin", "microsoft_visual_studio_code_win_user_installed.nbin"); script_require_keys("installed_sw/Microsoft Visual Studio Code", "SMB/Registry/Enumerated"); exit(0); } include('vcf.inc'); get_kb_item_or_exit('SMB/Registry/Enumerated'); app_info = vcf::get_app_info(app:'Microsoft Visual Studio Code', win_local:TRUE); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ { 'fixed_version' : '1.39.1' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1414