CVE-2022-35975 CRITICAL

CVE-2022-35975: Improper object validation allows for arbitrary code execution in GitOps Tools Extension for VSCode

Vendor Weaveworks
Product vscode-gitops-tools
Weakness CWE-78
Published August 18, 2022
Last update April 23, 2025
View on NVD All CVEs

CVSS base score

9.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The GitOps Tools Extension for VSCode can make it easier to manage Flux objects. A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using the VSCode extension to manage clusters that are shared amongst other users are affected by this issue. The only safe mitigation is to update to the latest version of the extension.

Key dates

02Disclosure timeline

August 18, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-35582 Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix CVE-2022-1986 OS Command Injection in gogs/gogs CVE-2022-1360 Cambium Networks cnMaestro OS Command Injection CVE-2026-33396 OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe CVE-2025-34239 Advantech WebAccess/VPN < 1.1.5 Command Injection in AppManagementController.appUpgradeAction()