Login Sign Up

CVE-2021-27084

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Visual Studio Code's Java Extension Pack allows remote code execution when a user opens a malicious Java project. Attackers can execute arbitrary code on the victim's system by tricking them into opening a specially crafted project. This affects developers using the Java Extension Pack in Visual Studio Code.

💻 Affected Systems

Products:
  • Visual Studio Code Java Extension Pack
Versions: Versions prior to 0.17.0
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who have installed the Java Extension Pack. The vulnerability is triggered when opening malicious Java projects.

📦 What is this software?

Maven For Java by Microsoft

View all CVEs affecting Maven For Java →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the Visual Studio Code user, potentially leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Attacker executes malicious code in the context of the developer's environment, potentially stealing source code, credentials, or deploying malware.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege principles, and security controls preventing lateral movement.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening a malicious project). The vulnerability has been publicly disclosed with technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Java Extension Pack version 0.17.0 or later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27084

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'Java Extension Pack'. 4. Click Update if available, or uninstall and reinstall to get latest version. 5. Restart Visual Studio Code.

🔧 Temporary Workarounds

Disable Java Extension Pack

all

Temporarily disable the vulnerable extension until patching is possible

code --disable-extension vscjava.vscode-java-pack

Restrict project sources

all

Only open Java projects from trusted sources

🧯 If You Can't Patch

  • Implement application allowlisting to restrict execution of unauthorized code
  • Use network segmentation to isolate development environments from production systems

🔍 How to Verify

Check if Vulnerable:

Check Java Extension Pack version in VS Code Extensions view. If version is below 0.17.0, you are vulnerable.

Check Version:

code --list-extensions --show-versions | findstr vscjava.vscode-java-pack

Verify Fix Applied:

Verify Java Extension Pack version is 0.17.0 or higher in Extensions view.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from VS Code context
  • Suspicious network connections originating from developer workstations

Network Indicators:

  • Outbound connections to suspicious domains/IPs from developer systems
  • Unusual data exfiltration patterns

SIEM Query:

source="vscode" AND (event="extension_activation" OR event="process_execution") AND extension="java-pack"

📊 Metadata

CVE ID: CVE-2021-27084
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: March 11, 2021
Last Updated: July 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON