You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An elevation of privilege vulnerability exists in VS Code 1.87.1 and earlier versions for users of the code serve-web command. An attacker who has access to view process information from a lower-privilege account on a machine can inspect a connection token used to secure code server-web being run in an elevated process, and potentially access the server over the network.
Patches
The fix is available starting with VS Code 1.87.2. The fix (778a5ed) mitigates this attack by transmitting the connection token in an appropriately-permissioned file rather than as part of the process arguments.
Workarounds
Do not run code serve-web as an elevated user on a machine where untrusted users can view process information.
References
The patch for this can be found at 778a5ed with the version bump on 863d258
VS Code - Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in VS Code 1.87.1 and earlier versions for users of the
code serve-webcommand. An attacker who has access to view process information from a lower-privilege account on a machine can inspect a connection token used to securecode server-webbeing run in an elevated process, and potentially access the server over the network.Patches
The fix is available starting with VS Code 1.87.2. The fix (778a5ed) mitigates this attack by transmitting the connection token in an appropriately-permissioned file rather than as part of the process arguments.
Workarounds
Do not run
code serve-webas an elevated user on a machine where untrusted users can view process information.References
The text was updated successfully, but these errors were encountered: