Login Sign Up

CVE-2021-31414

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in the unofficial vscode-rpm-spec extension for Visual Studio Code allows remote code execution when a user opens a malicious workspace configuration. Attackers can execute arbitrary code on the victim's system by tricking them into opening a specially crafted workspace. Users of Visual Studio Code with this extension installed are affected.

💻 Affected Systems

Products:
  • vscode-rpm-spec Visual Studio Code extension
Versions: All versions before 0.3.2
Operating Systems: All platforms where Visual Studio Code runs (Windows, Linux, macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who have installed this specific unofficial extension. The vulnerability is in the extension itself, not in Visual Studio Code core.

📦 What is this software?

Rpm Spec by Rpm Spec Project

View all CVEs affecting Rpm Spec →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive files, credentials, or system resources.

🟢

If Mitigated

Limited impact if extension is removed or patched, with only isolated code execution in user context.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious workspace) but can be delivered via phishing or compromised repositories.
🏢 Internal Only: MEDIUM - Internal attackers could craft malicious workspaces to target colleagues using the extension.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to open a malicious workspace configuration file. The vulnerability is well-documented in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.2

Vendor Advisory: https://github.com/LaurentTreguier/vscode-rpm-spec/commit/e19fb8e29cb48cadfd3238371e060d4ffd3384f9

Restart Required: No

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'vscode-rpm-spec'. 4. Click Update or reinstall to get version 0.3.2 or later. 5. Verify the extension shows version 0.3.2 or higher.

🔧 Temporary Workarounds

Remove vulnerable extension

all

Uninstall the vscode-rpm-spec extension completely to eliminate the vulnerability.

code --uninstall-extension laurenttreguier.vscode-rpm-spec

Disable extension

all

Temporarily disable the extension in Visual Studio Code settings.

🧯 If You Can't Patch

  • Remove the vscode-rpm-spec extension entirely from all developer workstations
  • Implement strict controls on opening workspace files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check the installed extension version in VS Code Extensions view. If vscode-rpm-spec is installed and version is below 0.3.2, you are vulnerable.

Check Version:

code --list-extensions --show-versions | grep vscode-rpm-spec

Verify Fix Applied:

Verify the extension shows version 0.3.2 or higher in the Extensions view. Test by attempting to open a workspace configuration - no arbitrary code should execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from VS Code extension context
  • Suspicious workspace file openings
  • Extension loading errors related to vscode-rpm-spec

Network Indicators:

  • Downloads of suspicious workspace configuration files
  • Outbound connections from VS Code to unexpected destinations

SIEM Query:

process_name:code AND (process_cmdline:*rpm-spec* OR process_cmdline:*workspace*)

📊 Metadata

CVE ID: CVE-2021-31414
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: April 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON