Skip to content

Malicious project can cause vscode-bazel to run arbitrary executable when linting a *.bzl file

High
philwo published GHSA-2rcw-j8x4-hgcv Apr 14, 2021

Package

vscode-bazel (Visual Studio Code Plug-ins)

Affected versions

0.1.0 - 0.4.0

Patched versions

0.4.1

Description

Impact

An attacker can place a crafted JSON config file into the project folder pointing to a custom executable, leading to arbitrary code execution.

vscode-bazel <= 0.4.0 allow workspace settings to change the path of an executable file used to lint *.bzl files (setting "bazel.buildifierExecutable"). Since the workspace setting can be modified just by dropping a (malicious) JSON config file into a folder, it's possible to execute arbitrary executables from malicious folders this way.

Patches

The problem has been patched in vscode-bazel 0.4.1. We recommend upgrading to version 0.4.1 or above.

For more information

Thanks to @Ry0taK for finding, reporting this vulnerability responsibly and helping us patch it!

If you have any questions or comments about this advisory:

Severity

High
8.2
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE ID

CVE-2021-22539

Weaknesses

Credits