{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0.1.0"
              },
              {
                "fixed": "0.4.1"
              }
            ]
          },
          "events": [
            {
              "introduced": "5f864f7082a39e80b71208bee8852546a1d9dafb"
            },
            {
              "fixed": "d268ed208a03364fecd45bf8e07a35b7408b3b2c"
            }
          ],
          "repo": "https://github.com/bazelbuild/vscode-bazel",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend upgrading to version 0.4.1 or above.",
  "id": "CVE-2021-22539",
  "modified": "2026-03-13T21:50:01.175545800Z",
  "published": "2021-04-16T11:15:12.637Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/bazelbuild/vscode-bazel/security/advisories/GHSA-2rcw-j8x4-hgcv"
    },
    {
      "type": "FIX",
      "url": "https://github.com/bazelbuild/vscode-bazel-ghsa-2rcw-j8x4-hgcv/pull/1"
    }
  ],
  "related": [
    "GHSA-2rcw-j8x4-hgcv"
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}