CVE-2021-22539

HIGH

VScode-bazel <0.4.1 - Code Injection

Title source: llm

Description

An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend upgrading to version 0.4.1 or above.

References (2)

[Broken Link] https://github.com/bazelbuild/vscode-bazel-ghsa-2rcw-j8x4-hgcv/pull/1

[Third Party Advisory] https://github.com/bazelbuild/vscode-bazel/security/advisories/GHSA-2rcw-j8x4-hgcv

Scores

CVSS v3 8.2

EPSS 0.0006

EPSS Percentile 19.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Classification

CWE

CWE-668 CWE-73

Status published

Affected Products (1)

google/bazel < 0.4.1

Timeline

Published Apr 16, 2021

Tracked Since Feb 18, 2026