CVE-2021-22539 HIGH

CVE-2021-22539: Code execution in VSCode-bazel via malicious Bazel config files

Vendor Google Llc
Product VSCode-Bazel
Weakness CWE-73
Published April 16, 2021
Last update September 17, 2024

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend upgrading to version 0.4.1 or above.

Key dates

02Disclosure timeline

April 16, 2021 CVE published
September 17, 2024 Record updated