Python extension for Visual Studio Code Remote Code Execution Vulnerability

High

karthiknadig published GHSA-cmrx-fhfp-pq36

Nov 12, 2024

Package

ms-python.python

Affected versions

>=2024.9.0

Patched versions

>=2024.20.0

Description

Impact

There is a security vulnerability in the untrusted workspaces flow with specially crafted workspaces.

Patches

The fix is available starting with 2024.20.0 fix is (a16ed6b) . The python discovery code that was problematic is disabled untrusted mode.

Workarounds

Check for python executables checked-into SCM before opening untrusted workspaces.

References

References

The patch for this can be found at a16ed6b
An issue for this can be found at #24428
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49050