CVE-2019-16765 in vscode-codeql
Summary
by MITRE
If an attacker can get a user to open a specially prepared directory tree as a workspace in Visual Studio Code with the CodeQL extension active, arbitrary code of the attacker's choosing may be executed on the user's behalf. This is fixed in version 1.0.1 of the extension. Users should upgrade to this version using Visual Studio Code Marketplace's upgrade mechanism. After upgrading, the codeQL.cli.executablePath setting can only be set in the per-user settings, and not in the per-workspace settings. More information about VS Code settings can be found here.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2024
This vulnerability represents a critical privilege escalation flaw in the Visual Studio Code CodeQL extension that allows remote code execution through malicious workspace manipulation. The issue stems from improper handling of workspace configuration settings where the extension fails to properly validate or restrict the codeQL.cli.executablePath setting when it is defined within workspace-level configuration files. Attackers can craft specially prepared directory structures that, when opened as workspaces in Visual Studio Code with the CodeQL extension active, trigger execution of arbitrary code with the privileges of the user running the editor. This represents a classic path traversal and configuration injection vulnerability that leverages the trust model of the development environment to execute malicious payloads.
The technical flaw manifests through the extension's insufficient input validation and privilege separation mechanisms. When Visual Studio Code loads a workspace, it merges user-level and workspace-level settings, but the CodeQL extension fails to properly isolate or validate the executable path configuration. This allows attackers to place malicious configuration files within a directory tree that, when opened as a workspace, causes the extension to execute code from attacker-controlled paths. The vulnerability is particularly dangerous because it operates at the intersection of development environment security and user trust, where legitimate development workflows are exploited to deliver malicious payloads. The flaw aligns with CWE-276, which addresses improper privilege management, and CWE-78, which covers improper neutralization of special elements used in OS command execution.
The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise when attackers can influence user behavior through social engineering or supply chain attacks. Users opening maliciously crafted projects or repositories can unknowingly execute arbitrary code that may establish persistent backdoors, exfiltrate sensitive data, or escalate privileges to system-level access. The vulnerability affects developers working in security-sensitive environments where Visual Studio Code and CodeQL are commonly used for code analysis, making it particularly dangerous in enterprise settings. Attackers could exploit this through phishing campaigns targeting developers, compromising open source repositories, or through malicious extensions that manipulate workspace configurations. This vulnerability directly maps to ATT&CK technique T1059, which covers command and scripting interpreter, and T1546, which addresses event trigger execution, as the malicious code execution occurs through legitimate development tooling.
Mitigation strategies must address both the immediate patch and long-term configuration hardening. The primary fix involves upgrading to version 1.0.1 of the CodeQL extension, which implements proper setting validation by restricting the codeQL.cli.executablePath configuration to user-level settings only. Organizations should enforce this upgrade across all development environments through automated deployment mechanisms and policy enforcement. Additional protective measures include implementing workspace trust models that prevent automatic execution of code from untrusted directories, configuring Visual Studio Code to disable workspace-specific extension settings where possible, and establishing security awareness training for developers to recognize potentially malicious workspace configurations. System administrators should monitor for unauthorized extension installations and configure network-level restrictions to prevent access to known malicious repositories or domains that might host exploit payloads. The vulnerability highlights the importance of least privilege principles in development environments and demonstrates how seemingly benign configuration options can become attack vectors when not properly validated against security best practices.