CVE-2021-28792

Name of the Vulnerable Software and Affected Versions: Swift Development Environment extension version 2.12.0 and earlier

Description: The issue allows remote attackers to execute arbitrary code by constructing a malicious workspace with crafted configuration values, including sourcekit-lsp.serverPath, swift.languageServerPath, swift.path.sourcekite, swift.path.sourcekiteDockerMode, swift.path.swift driver bin, or swift.path.shell, which triggers execution upon opening the workspace.

Recommendations: For versions prior to 2.12.1, update to version 2.12.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable configuration values until a patch is applied. Avoid using the parameters sourcekit-lsp.serverPath, swift.languageServerPath, swift.path.sourcekite, swift.path.sourcekiteDockerMode, swift.path.swift driver bin, or swift.path.shell in the affected workspace configuration until the issue is resolved.