Exec Threat Overview: CVE-2022-30129

This exec threat overview was provided by Johannes Dahse, Head of R&D at SonarSource.

What is the CVE and what is the threat?

A Remote Code Execution vulnerability (CVE-2022-30129) was discovered in one of the most popular IDEs: Visual Studio Code. The vulnerability gave hackers the ability to create malicious links that, when clicked, would deceive the IDE into running unauthorized instructions on the victim's computer.

When the Visual Studio Code IDE is installed, the vulnerability can be used to attack developers. A malicious link created by an attacker prompts victims to clone a Git repository in Visual Studio Code when they click on it. Hackers could exploit a vulnerability in this process to run arbitrary commands on the victim’s computer to obtain sensitive information, alter source code, or even exploit the company’s internal network.

Who is at risk?

Any developer coding in Visual Studio Code running version 1.67.0 and lower (Microsoft reports 14M developers using VS Code).

What should organizations do to protect themselves now and in the future?

This particular CVE issue was narrowed down to an argument injection vulnerability in the extensions git module of the IDE’s source code. To stay protected from this CVE, all developers using VS Code should update to the newest version of their IDE and use caution when clicking external or foreign links.

To avoid similar vulnerabilities in the developers own code in general, the "Clean as You Code" method should be used as it addresses security at its core and gives developers the tools and training they need to produce high-quality, secure code. Clean code alludes to a codebase that is seamless and error-free. While beginning new projects with clean code, developers simultaneously solve existing problems by adhering to an established set of quality standards.

When the code is still being written, developers can also fix problems as they go and as result, managing the code security will be more efficient. Therefore, teams can increase the quality and security of their codebase by implementing clean code best practices at the right time during the development cycle. Their everyday routines automatically incorporate this technique, which lowers the possibility of recurring or exposed vulnerabilities.