""The pipeline had a single boolean return value that meant both 'no scanners are configured' and 'all scanners failed to run,'... So when scanners failed under load, Open VSX treated it as 'nothing to scan for' and waved the extension right through.""
""The vulnerability discovered by Koi, codenamed Open Sesame, has to do with how this Java-based service reports the scan results... causing an extension to be marked as passes, and then immediately activated and made available for download from Open VSX.""
""Even more troublingly, a recovery service designed to retry failed scans suffered from the same problem, thereby allowing extensions to skip the entire scanning process under certain conditions.""
A vulnerability in Open VSX's pre-publish scanning pipeline allowed malicious VS Code extensions to pass security checks. The issue stemmed from a boolean return value that did not differentiate between no scanners configured and all scanners failing. This misinterpretation led to extensions being marked as passed and activated without proper vetting. The Eclipse Foundation plans to enforce stricter pre-publish security checks to prevent such incidents. Extensions failing the scanning process will be quarantined for review, addressing the risk of rogue extensions being published.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]