Skip to content

Remote Code Execution Vulnerability

Moderate
mjbvz published GHSA-p996-wrgh-crrj Jan 10, 2023

Package

VS Code

Affected versions

<

Patched versions

1.74.3

Description

A remote code execution vulnerability exists in VS Code 1.74.2 and earlier versions where opening a maliciously crafted notebook allows script execution inside of the notebook's iframe. This works in untrusted workspaces and only requires that the user open the notebook. The executed script is run inside of an isolated iframe, however it is possible an attacker could combine this with additional exploits to break out of the iframe

Patches

The fix is available starting with VS Code 1.74.3. The fix (5b8361b) mitigates this attack by more safely constructing html

Workarounds

Do not open notebooks from untrusted sources

References

5b8361b

Severity

Moderate

CVE ID

CVE-2023-21779

Weaknesses

No CWEs