git: fbc8fa7cd5f2 - main - security/vuxml: document vscode information disclosure vulnerability

From: Hiroki Tagato <tagattie_at_FreeBSD.org>
Date: Wed, 10 May 2023 11:35:11 UTC
The branch main has been updated by tagattie:

URL: https://cgit.FreeBSD.org/ports/commit/?id=fbc8fa7cd5f22ed4469826beeb6cf442cf137e34

commit fbc8fa7cd5f22ed4469826beeb6cf442cf137e34
Author:     Hiroki Tagato <tagattie@FreeBSD.org>
AuthorDate: 2023-05-10 11:33:20 +0000
Commit:     Hiroki Tagato <tagattie@FreeBSD.org>
CommitDate: 2023-05-10 11:35:05 +0000

    security/vuxml: document vscode information disclosure vulnerability
    
    Obtained from:  https://github.com/microsoft/vscode/security/advisories/GHSA-mmfh-4pv3-39hr
---
 security/vuxml/vuln/2023.xml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 272a3001ea5e..99d8615001e1 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,31 @@
+  <vuln vid="7913fe6d-2c6e-40ba-a7d7-35696f3db2b6">
+    <topic>vscode -- Visual Studio Code Information Disclosure Vulnerability</topic>
+    <affects>
+      <package>
+	<name>vscode</name>
+	<range><lt>1.78.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>secure@microsoft.com reports:</p>
+	<blockquote cite="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29338">
+	  <p>Visual Studio Code Information Disclosure Vulnerability</p>
+	  <p>A information disclosure vulnerability exists in VS Code 1.78.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2023-29338</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2023-29338</url>
+      <url>https://github.com/microsoft/vscode/security/advisories/GHSA-mmfh-4pv3-39hr</url>
+    </references>
+    <dates>
+      <discovery>2023-05-09</discovery>
+      <entry>2023-05-10</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="68958e18-ed94-11ed-9688-b42e991fc52e">
     <topic>glpi -- multiple vulnerabilities</topic>
     <affects>