CVE-2022-35976 MEDIUM

CVE-2022-35976: Improper KubeConfig handling allows arbitrary code execution

Vendor Weaveworks
Product vscode-gitops-tools
Weakness CWE-78
Published August 18, 2022
Last update April 23, 2025

CVSS base score

5.2/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

The GitOps Tools Extension for VSCode relies on kubeconfigs in order to communicate with Kubernetes clusters. A specially crafted kubeconfig leads to arbitrary code execution on behalf of the user running VSCode. Users relying on kubeconfigs that are generated or altered by other processes or users are affected by this issue. Please note that the vulnerability is specific to this extension, and the same kubeconfig would not result in arbitrary code execution when used with kubectl. Using only trust-worthy kubeconfigs is a safe mitigation. However, updating to the latest version of the extension is still highly recommended.

Key dates

02Disclosure timeline

August 18, 2022 CVE published
April 23, 2025 Record updated