CVE-2021-21415

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2021-21415
Prisma VS Code a VSCode extension for Prisma schema files. This is a Remote Code Execution Vulnerability that affects all versions of the Prisma VS Code extension older than 2.20.0. If a custom binary path for the Prisma format binary is set in VS Code Settings, for example by downloading a project that has a .vscode/settings.json file that sets a value for "prismaFmtBinPath". That custom binary is executed when auto-formatting is triggered by VS Code or when validation checks are triggered after each keypress on a *.prisma file. Fixed in versions 2.20.0 and 20.0.27. As a workaround users can either edit or delete the `.vscode/settings.json` file or check if the binary is malicious and delete it.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://github.com/prisma/language-tools/pull/750 Patch Third Party Advisory
https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828 Third Party Advisory
https://marketplace.visualstudio.com/items?itemName=Prisma.prisma Product
https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider Product
https://github.com/prisma/language-tools/pull/750 Patch Third Party Advisory
https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828 Third Party Advisory
https://marketplace.visualstudio.com/items?itemName=Prisma.prisma Product
https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:prisma:language-tools:*:*:*:*:*:visual_studio_code:*:*
History

21 Nov 2024, 05:48

Type Values Removed Values Added
References () https://github.com/prisma/language-tools/pull/750 - Patch, Third Party Advisory () https://github.com/prisma/language-tools/pull/750 - Patch, Third Party Advisory
References () https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828 - Third Party Advisory () https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828 - Third Party Advisory
References () https://marketplace.visualstudio.com/items?itemName=Prisma.prisma - Product () https://marketplace.visualstudio.com/items?itemName=Prisma.prisma - Product
References () https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider - Product () https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider - Product
Information

Published : 2021-04-29 17:15

Updated : 2024-11-21 05:48

NVD link : CVE-2021-21415

Mitre link : CVE-2021-21415

CVE.ORG link : CVE-2021-21415

JSON object : View

Products Affected

prisma

  • language-tools
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

NVD-CWE-Other

NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024