{"id":"CVE-2021-22539","details":"An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend upgrading to version 0.4.1 or above.","modified":"2026-03-14T08:29:06.102024Z","published":"2021-04-16T11:15:12.637Z","related":["GHSA-2rcw-j8x4-hgcv"],"references":[{"type":"ADVISORY","url":"https://github.com/bazelbuild/vscode-bazel/security/advisories/GHSA-2rcw-j8x4-hgcv"},{"type":"FIX","url":"https://github.com/bazelbuild/vscode-bazel-ghsa-2rcw-j8x4-hgcv/pull/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bazelbuild/vscode-bazel","events":[{"introduced":"5f864f7082a39e80b71208bee8852546a1d9dafb"},{"fixed":"d268ed208a03364fecd45bf8e07a35b7408b3b2c"}],"database_specific":{"versions":[{"introduced":"0.1.0"},{"fixed":"0.4.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22539.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}