Vulnerabilities > CVE-2021-22539 - Exposure of Resource to Wrong Sphere vulnerability in Google Bazel

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

google

CWE-668

NVD

Published: 2021-04-16

Updated: 2022-10-25

Summary

An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend upgrading to version 0.4.1 or above.

Vulnerable Configurations

Part	Description	Count
Application	Google Google Bazel 0.1.0 Google Bazel 0.2.0 Google Bazel 0.3.0 Google Bazel 0.4.0	4

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

References

https://github.com/bazelbuild/vscode-bazel/security/advisories/GHSA-2rcw-j8x4-hgcv
https://github.com/bazelbuild/vscode-bazel-ghsa-2rcw-j8x4-hgcv/pull/1