{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-084.pdf"
    },
    "title": "Critical Vulnerability in Visual Studio Code",
    "serial_number": "2022-084",
    "publish_date": "02-12-2022 10:40:00",
    "description": "On November 22, Microsoft published a security advisory about a Remote Code Execution vulnerability in Visual Studio Code. The severity is rated critical as a remote code execution vulnerability exists in VS Code 1.71 and earlier versions for malicious notebooks. These notebooks could use command URIs to execute arbitrary commands, including potentially dangerous commands.",
    "url_title": "2022-084",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0Visual\u00a0Studio\u00a0Code' \nversion: '1.0' \nnumber: '2022-084'\noriginal_date: 'November 22, 2022'\ndate: 'December 2, 2022'\n---\n\n_History:_\n\n* _02/12/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn November 22, Microsoft published a security advisory about a Remote Code Execution vulnerability in Visual Studio Code [1]. The severity is rated critical as a remote code execution vulnerability exists in VS Code 1.71 and earlier versions for malicious notebooks. These notebooks could use command URIs to execute arbitrary commands, including potentially dangerous commands.\n\n# Technical Details\n\nThe vulnerability was reported by Google [2] and is tracked as **CVE-2022-41034**. An attacker could, through a link or website, take over the computer of a Visual Studio Code user and any computers they were connected to via the Visual Studio Code Remote Development feature. This issue affected at least GitHub Codespaces, github.dev, the web-based Visual Studio Code for Web and to a lesser extent Visual Studio Code desktop. \n\nMicrosoft released the patch 1.72 on October 11 [3], fixing this vulnerability.\n\n# Affected Products\n\n- Visual Studio Code 1.71 and earlier versions.\n\n# Recommendations\n\nCERT-EU recommends to apply the patches for Visual Studio Code.\n\n# References\n\n[1] <https://github.com/microsoft/vscode/security/advisories/GHSA-q6rv-h25q-6pj6>\n\n[2] <https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m>\n\n[3] <https://code.visualstudio.com/updates/v1_72>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>02/12/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On November 22, Microsoft published a security advisory about a Remote Code Execution vulnerability in Visual Studio Code [1]. The severity is rated critical as a remote code execution vulnerability exists in VS Code 1.71 and earlier versions for malicious notebooks. These notebooks could use command URIs to execute arbitrary commands, including potentially dangerous commands.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability was reported by Google [2] and is tracked as <strong>CVE-2022-41034</strong>. An attacker could, through a link or website, take over the computer of a Visual Studio Code user and any computers they were connected to via the Visual Studio Code Remote Development feature. This issue affected at least GitHub Codespaces, github.dev, the web-based Visual Studio Code for Web and to a lesser extent Visual Studio Code desktop. </p><p>Microsoft released the patch 1.72 on October 11 [3], fixing this vulnerability.</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>Visual Studio Code 1.71 and earlier versions.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends to apply the patches for Visual Studio Code.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/microsoft/vscode/security/advisories/GHSA-q6rv-h25q-6pj6\">https://github.com/microsoft/vscode/security/advisories/GHSA-q6rv-h25q-6pj6</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m\">https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://code.visualstudio.com/updates/v1_72\">https://code.visualstudio.com/updates/v1_72</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}