Visual Studio Code Configuration Detected

medium Web App Scanning Plugin ID 113201

Language:

Synopsis

Visual Studio Code Configuration Detected

Description

Visual Studio Code is a popular source-code editor provided by Microsoft, with extensions offering a variety of extra functionality covering amongst others remote file access, credentials and launch configurations. Configurations may be located inside a hidden directory named .vscode. When exposed with the web application configuration, these configuration files may expose sensitive information which may be used by an attacker to gain unauthorized access.

Solution

Review the contents of the discovered .vscode directory and remove sensitive content, and/or adjust the web server's access controls to limit access to sensitive material.

See Also

https://code.visualstudio.com/docs/getstarted/settings

Plugin Details

Severity: Medium

ID: 113201

Type: remote

Family: Data Exposure

Published: 3/24/2022

Updated: 6/28/2022

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 538

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1

WASC: Predictable Resource Location

CAPEC: 95

DISA STIG: APSC-DV-002480

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

PCI-DSS: 3.2-2.2