XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
| Link | Tags |
|---|---|
| https://github.com/angelozerr/lsp4xml/ | product |
| https://github.com/redhat-developer/vscode-xml/ | third party advisory patch |
| https://marketplace.visualstudio.com/items?itemName=redhat.vscode-xml | third party advisory |
| https://github.com/angelozerr/lsp4xml/pull/567 | third party advisory patch |
| https://github.com/angelozerr/lsp4xml/blob/master/CHANGELOG.md#others | third party advisory release notes |
| https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/ | third party advisory exploit |