CVE-2021-21415 - OpenCVE

Prisma VS Code a VSCode extension for Prisma schema files. This is a Remote Code Execution Vulnerability that affects all versions of the Prisma VS Code extension older than 2.20.0. If a custom binary path for the Prisma format binary is set in VS Code Settings, for example by downloading a project that has a .vscode/settings.json file that sets a value for "prismaFmtBinPath". That custom binary is executed when auto-formatting is triggered by VS Code or when validation checks are triggered after each keypress on a *.prisma file. Fixed in versions 2.20.0 and 20.0.27. As a workaround users can either edit or delete the `.vscode/settings.json` file or check if the binary is malicious and delete it.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Prisma	Language-tools

Configuration 1 [-]

cpe:2.3:a:prisma:language-tools:*:*:*:*:*:visual_studio_code:*:*

No data.

References

Link	Providers
https://github.com/prisma/language-tools/pull/750
https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828
https://marketplace.visualstudio.com/items?itemName=Prisma.prisma
https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-04-29T16:50:15

Updated: 2024-08-03T18:09:16.078Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21415

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-04-29T17:15:08.977

Modified: 2022-10-21T22:43:42.550

Link: CVE-2021-21415

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "language-tools", "vendor": "prisma", "versions": [{"status": "affected", "version": ">= 2.1.0, < 2.20.0"}, {"status": "affected", "version": "< 20.0.27"}]}], "descriptions": [{"lang": "en", "value": "Prisma VS Code a VSCode extension for Prisma schema files. This is a Remote Code Execution Vulnerability that affects all versions of the Prisma VS Code extension older than 2.20.0. If a custom binary path for the Prisma format binary is set in VS Code Settings, for example by downloading a project that has a .vscode/settings.json file that sets a value for \"prismaFmtBinPath\". That custom binary is executed when auto-formatting is triggered by VS Code or when validation checks are triggered after each keypress on a *.prisma file. Fixed in versions 2.20.0 and 20.0.27. As a workaround users can either edit or delete the `.vscode/settings.json` file or check if the binary is malicious and delete it."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "{\"CWE-94\":\"Improper Control of Generation of Code ('Code Injection')\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-29T16:50:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/prisma/language-tools/pull/750"}, {"tags": ["x_refsource_MISC"], "url": "https://marketplace.visualstudio.com/items?itemName=Prisma.prisma"}, {"tags": ["x_refsource_MISC"], "url": "https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider"}], "source": {"advisory": "GHSA-4rf9-43m7-x828", "discovery": "UNKNOWN"}, "title": "Visual Studio Code Prisma Extension Remote Code Execution Vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21415", "STATE": "PUBLIC", "TITLE": "Visual Studio Code Prisma Extension Remote Code Execution Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "language-tools", "version": {"version_data": [{"version_value": ">= 2.1.0, < 2.20.0"}, {"version_value": "< 20.0.27"}]}}]}, "vendor_name": "prisma"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Prisma VS Code a VSCode extension for Prisma schema files. This is a Remote Code Execution Vulnerability that affects all versions of the Prisma VS Code extension older than 2.20.0. If a custom binary path for the Prisma format binary is set in VS Code Settings, for example by downloading a project that has a .vscode/settings.json file that sets a value for \"prismaFmtBinPath\". That custom binary is executed when auto-formatting is triggered by VS Code or when validation checks are triggered after each keypress on a *.prisma file. Fixed in versions 2.20.0 and 20.0.27. As a workaround users can either edit or delete the `.vscode/settings.json` file or check if the binary is malicious and delete it."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-94\":\"Improper Control of Generation of Code ('Code Injection')\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828", "refsource": "CONFIRM", "url": "https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828"}, {"name": "https://github.com/prisma/language-tools/pull/750", "refsource": "MISC", "url": "https://github.com/prisma/language-tools/pull/750"}, {"name": "https://marketplace.visualstudio.com/items?itemName=Prisma.prisma", "refsource": "MISC", "url": "https://marketplace.visualstudio.com/items?itemName=Prisma.prisma"}, {"name": "https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider", "refsource": "MISC", "url": "https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider"}]}, "source": {"advisory": "GHSA-4rf9-43m7-x828", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:16.078Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/prisma/language-tools/pull/750"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://marketplace.visualstudio.com/items?itemName=Prisma.prisma"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21415", "datePublished": "2021-04-29T16:50:15", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:16.078Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prisma:language-tools:*:*:*:*:*:visual_studio_code:*:*", "matchCriteriaId": "D5927100-7D5D-4C60-ACC0-7474A820CB2D", "versionEndExcluding": "2.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Prisma VS Code a VSCode extension for Prisma schema files. This is a Remote Code Execution Vulnerability that affects all versions of the Prisma VS Code extension older than 2.20.0. If a custom binary path for the Prisma format binary is set in VS Code Settings, for example by downloading a project that has a .vscode/settings.json file that sets a value for \"prismaFmtBinPath\". That custom binary is executed when auto-formatting is triggered by VS Code or when validation checks are triggered after each keypress on a *.prisma file. Fixed in versions 2.20.0 and 20.0.27. As a workaround users can either edit or delete the `.vscode/settings.json` file or check if the binary is malicious and delete it."}, {"lang": "es", "value": "Prisma VS Code una extensi\u00f3n de VSCode para archivos de esquema Prisma. Esta es una vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota que afecta a todas las versiones de la extensi\u00f3n Prisma VS Code anteriores a 2.20.0. Si una ruta binaria personalizada para el formato binario de Prisma en VS Code Settings es establecida, por ejemplo, al cargar un proyecto que tiene un archivo .vscode/settings.json que establece un valor para \"prismaFmtBinPath\". Ese binario personalizado se ejecuta cuando el formato autom\u00e1tico se activa mediante VS Code o cuando se activan las validaciones de comprobaci\u00f3n despu\u00e9s de cada pulsaci\u00f3n de tecla en un archivo *.prisma. Corregido en las versiones 2.20.0 y 20.0.27. Como soluci\u00f3n alternativa, los usuarios pueden editar o eliminar el archivo \"vscode/settings.json\" o comprobar si el binario es malicioso y eliminarlo"}], "id": "CVE-2021-21415", "lastModified": "2022-10-21T22:43:42.550", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-04-29T17:15:08.977", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/prisma/language-tools/pull/750"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/prisma/language-tools/security/advisories/GHSA-4rf9-43m7-x828"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://marketplace.visualstudio.com/items?itemName=Prisma.prisma"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}