Login Sign Up

CVE-2021-30503

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in the unofficial GLSL Linting extension for Visual Studio Code allows remote code execution when an attacker can modify workspace configuration files. Attackers can execute arbitrary code on systems where this extension is installed by crafting a malicious glslangValidatorPath value. Users of Visual Studio Code with this extension installed are affected.

💻 Affected Systems

Products:
  • Unofficial GLSL Linting extension for Visual Studio Code
Versions: All versions before 1.4.0
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the extension to be installed and workspace configuration to be modified or loaded from untrusted sources.

📦 What is this software?

Glsl Linting by Glsl Linting Project

View all CVEs affecting Glsl Linting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with the privileges of the Visual Studio Code user, potentially leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Local privilege escalation or execution of malicious scripts when users open compromised workspace configurations, potentially leading to credential theft or malware installation.

🟢

If Mitigated

Limited impact if extension is disabled or removed, or if workspace configurations are restricted to trusted sources only.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires modifying workspace configuration files, which could occur through social engineering, compromised repositories, or malicious project files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.0

Vendor Advisory: https://github.com/hsimpson/vscode-glsllint/commit/3effba525bdff7d4257e66a6815ff956d2bce8ac

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'GLSL Linting'. 4. Click Update or reinstall extension. 5. Restart Visual Studio Code.

🔧 Temporary Workarounds

Disable extension

all

Temporarily disable the vulnerable extension until patched

code --disable-extension CADENAS.vscode-glsllint

Remove extension

all

Uninstall the vulnerable extension completely

code --uninstall-extension CADENAS.vscode-glsllint

🧯 If You Can't Patch

  • Restrict workspace configuration files to trusted sources only
  • Implement application allowlisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check extension version in VS Code Extensions view or run: code --list-extensions --show-versions | grep glsllint

Check Version:

code --list-extensions --show-versions | grep glsllint

Verify Fix Applied:

Verify extension version is 1.4.0 or higher using same command

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from Visual Studio Code context
  • Modifications to workspace configuration files with suspicious paths

Network Indicators:

  • Unexpected outbound connections from Visual Studio Code process

SIEM Query:

process_name:"code" AND (process_cmdline:"glslangValidator" OR process_cmdline:contains_suspicious_path)

📊 Metadata

CVE ID: CVE-2021-30503
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: April 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON