The severity is HIGH due to the potential for unauthorized access through a compromised VSCode extension, even though the core Trivy code was not affected. Real-world exploitability is high if users did not verify their extensions before installation.
A GitHub Personal Access Token (PAT) for the Trivy project was compromised, leading to a rogue VSCode extension release. The core Trivy codebase was unaffected; however, users who installed the malicious extension are at risk of unauthorized access and potential data exfiltration.
Affected Systems
- Trivy VSCode Extension
Affected Versions: All versions that included the malicious release
Remediation
- Uninstall any unverified Trivy VSCode extension immediately: Run `code --uninstall-extension
` to remove it. - Verify the authenticity of installed extensions by checking their origin and reviews on the official Visual Studio Marketplace.
Stack Impact
This issue affects users with the rogue Trivy VSCode extension, potentially impacting any system where this extension was used for development or container scanning.