Skip to content

Vulnerability in Stripe for Visual Studio Code < 1.7.3

High
gracegoo-stripe published GHSA-j6x4-4622-8vv3 Mar 31, 2021

Package

vscode-stripe (VSCode Extension)

Affected versions

< 1.7.3

Patched versions

1.7.3

Description

Impact

A vulnerability in Stripe for Visual Studio Code extension exists when it loads an untrusted source-code repository containing malicious settings.

An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. The update addresses the vulnerability by modifying the way the extension validates its settings.

There has been no evidence of exploitation of this vulnerability.

Recommendation

Upgrade to Stripe for Visual Studio Code 1.7.3

Acknowledgments

Thanks to David Dworken for reporting the issue.

For more information

Email us at security@stripe.com

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2021-21420

Weaknesses

No CWEs