CVE-2022-30129: 
Visual Studio Code vulnerability analysis and mitigation

Visual Studio Code Remote Code Execution Vulnerability (CVE-2022-30129) was discovered and disclosed in May 2022. The vulnerability affected Visual Studio Code versions prior to 1.67.1, allowing attackers to execute arbitrary commands on a victim's computer through maliciously crafted Git repository URLs (Sonar Blog, NVD).

The vulnerability stems from an argument injection bug in Visual Studio Code's Git module. When handling Git clone operations through the vscode:// URL protocol, the application failed to properly validate repository URLs, allowing attackers to inject command-line arguments. The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, the vulnerability allows attackers to execute arbitrary commands on the victim's computer when a developer clicks on a malicious repository link. Notably, the Workspace Trust feature, designed to prevent unintended command execution, could be bypassed if the last Visual Studio Code window with focus was trusted (Sonar Blog).

Microsoft addressed this vulnerability in Visual Studio Code version 1.67.1 by implementing improved validation on Git repository URLs. The patch includes validating the URL scheme against a pre-established allow list, preventing the argument injection by restricting URL schemes to 'file', 'git', 'http', 'https', and 'ssh' (Sonar Blog).