CVE-2022-21991: Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.1)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Feb

Released

2022-02-08

EPSS Score

4.37% (percentile: 89.0%)

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. How could an attacker exploit this vulnerability? An attacker would need to send a specially crafted request to a host running the Visual Studio Code Remote Development Extension. This issue only affects systems configured to host a remote development environment.

Affected Products (1)

Developer Tools

• Visual Studio Code

Security Updates (1)

• Release Notes

Acknowledgments

levatao and eastjiao

Revision History

• 2022-02-08: Information published.