The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XCoder Code Marketplace
APPCoder≤ 2.4.1
Related vulnerabilities
Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7...
Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 thro...
Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1...
Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets ha...
code-server is vulnerable to Inefficient Regular Expression Complexity