Elevation of Privilege Vulnerability

## VS Code - Elevation of Privilege Vulnerability
 
An elevation of privilege vulnerability exists in VS Code 1.87.1 and earlier versions for users of the `code serve-web` command. An attacker who has access to view process information from a lower-privilege account on a machine can inspect a connection token used to secure `code server-web` being run in an elevated process, and potentially access the server over the network.
 
## Patches
 
The fix is available starting with VS Code 1.87.2. The fix (https://github.com/microsoft/vscode/commit/778a5ed9168b986cd4af03df3fd7f09e852f9cfb) mitigates this attack by transmitting the connection token in an appropriately-permissioned file rather than as part of the process arguments.
 
## Workarounds
 
Do not run `code serve-web` as an elevated user on a machine where untrusted users can view process information.
 
## References
 
- The patch for this can be found at https://github.com/microsoft/vscode/commit/778a5ed9168b986cd4af03df3fd7f09e852f9cfb with the version bump on https://github.com/microsoft/vscode/commit/863d2581ecda6849923a2118d93a088b0745d9d6
- An advisory can be found at https://github.com/microsoft/vscode/security/advisories/GHSA-54p6-6j68-j5vr
- MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26165

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Elevation of Privilege Vulnerability #207491

VS Code - Elevation of Privilege Vulnerability

Patches

Workarounds

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Elevation of Privilege Vulnerability #207491

Description

VS Code - Elevation of Privilege Vulnerability

Patches

Workarounds

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions