Visual Studio Code Remote Code Execution Vulnerability

Aug 3, 2021 • glitchnsec

CVE: CVE-2021-34529
CVSS3.1: 9.6, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vendor: Microsoft
CWEs:

CWE-356: Product UI does not Warn User of Unsafe Actions

Affected Products:

Visual Studio Code

Other Advisories:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34529
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34529

Description

Visual Studio Code can execute arbitrary commands determined by the workspace contents. Failure to warn users of potentially dangerous interactions with arbitrary workspaces/projects may lead to malicious remote code execution.

Fixed Versions:

Visual Studio Code 1.58.1

Disclosure Timeline

2021-04-22 - Vulnerability reported to ZDI as a bypass to CVE-2021-28472’s fix
2021-04-23 - Vulnerability reported to vendor by ZDI
2021-07-13 - Coordinated public release of advisory