Cyber Resilience

CVE-2023-33144

Medium

Published: 14 June 2023

Published
14 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0072 72.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33144 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 6.6 (Medium).

Operationally, ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-33144 is a spoofing vulnerability affecting Visual Studio Code, assigned CWE-23 for relative path traversal. It carries a CVSS 3.1 base score of 6.6 reflecting local attack vector, low attack complexity, low privileges required, and required user interaction, resulting in high impact to confidentiality and integrity with no availability effect.

An attacker with local access and limited privileges can exploit the flaw by presenting a crafted resource that the victim is tricked into opening or interacting with inside Visual Studio Code, enabling unauthorized disclosure or modification of files on the system.

Microsoft has published guidance for the issue in its Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33144.

The EPSS score for this CVE rose materially from a low baseline to a peak of 0.0762 on 2025-01-22 before receding to its current value of 0.0072, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Visual Studio Code Spoofing Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
visual studio code
≤ 1.79

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References