CVE-2020-17159 – This vulnerability in Visual Studio Code Java E... (How to Fix)

Q: What is the severity of CVE-2020-17159?

CVE-2020-17159 has a CVSS score of 7.8 (HIGH). This vulnerability in Visual Studio Code Java Extension Pack allows remote code execution when a user opens a malicious Java project. Attackers can execute arbitrary code on the victim's system by exploiting flaws in how the extension handles project files. Users of Visual Studio Code with the Java Extension Pack installed are affected.

📋 TL;DR

This vulnerability in Visual Studio Code Java Extension Pack allows remote code execution when a user opens a malicious Java project. Attackers can execute arbitrary code on the victim's system by exploiting flaws in how the extension handles project files. Users of Visual Studio Code with the Java Extension Pack installed are affected.

💻 Affected Systems

Products:

Visual Studio Code Java Extension Pack

Versions: Versions before 0.10.0

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who have installed the Java Extension Pack in Visual Studio Code.

📦 What is this software?

Language Support For Java by Redhat

View all CVEs affecting Language Support For Java →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install malware, steal credentials, or pivot to other systems.

🟠

Likely Case

Local privilege escalation leading to data theft, ransomware deployment, or persistent backdoor installation.

🟢

If Mitigated

Limited impact if extension is disabled or user avoids opening untrusted Java projects.

🌐 Internet-Facing: LOW - Requires user interaction with malicious content, not directly internet-exposed.

🏢 Internal Only: MEDIUM - Developers opening untrusted Java projects could be compromised internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to open a malicious Java project file; no authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 0.10.0 or later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17159

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'Java Extension Pack'. 4. Click Update if available, or uninstall and reinstall latest version. 5. Restart Visual Studio Code.

🔧 Temporary Workarounds

Disable Java Extension Pack

all

Temporarily disable the vulnerable extension until patched.

code --disable-extension vscjava.vscode-java-pack

Restrict project sources

all

Only open Java projects from trusted sources.

🧯 If You Can't Patch

Disable Java Extension Pack completely in Visual Studio Code settings
Implement application whitelisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check Java Extension Pack version in Visual Studio Code Extensions view; versions before 0.10.0 are vulnerable.

Check Version:

code --list-extensions --show-versions | grep vscjava.vscode-java-pack

Verify Fix Applied:

Verify Java Extension Pack version is 0.10.0 or later in Extensions view.

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from Visual Studio Code
Java Extension Pack errors or crashes

Network Indicators:

Unexpected outbound connections from Visual Studio Code process

SIEM Query:

Process Creation where Parent Process Name contains 'Code.exe' and Command Line contains suspicious patterns

📊 Metadata

CVE ID: CVE-2020-17159

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published: December 10, 2020

Last Updated: August 28, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17159
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17159 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON