Update Electron with security fix for remote code execution vulnerability

A remote code execution vulnerability exists in VS Code 1.80.1 and earlier versions where opening a maliciously crafted workspace from the command line `code <attacker-controlled-workspace>` can result in executing commands locally. Specifically this issue can only be exploited if the following conditions are met:
* VS Code is launched with an attacker-controlled working directory
* The attacker has the ability to write files to that working directory
 ### Patches
The fix is available starting with VS Code 1.80.2. The fix (https://github.com/microsoft/vscode/commit/2ccd690cbff1569e4a83d7c43d45101f817401dc) mitigates
the attack by updating to a newer version of Electron that contains the security fix.
### Workarounds
There are no application side workarounds other than updating VS Code to the fixed version.

### References
* The patch for this can be found at https://github.com/microsoft/vscode/commit/2ccd690cbff1569e4a83d7c43d45101f817401dc
* An advisory for this can be found at https://github.com/microsoft/vscode/security/advisories/GHSA-5cm6-54wm-6gg6
* MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-39956
* Electron's advisory can be found at https://github.com/advisories/GHSA-7x97-j373-85x5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update Electron with security fix for remote code execution vulnerability #192902

Patches

Workarounds

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Update Electron with security fix for remote code execution vulnerability #192902

Description

Patches

Workarounds

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions