CVE-2024-9145 HIGH

CVE-2024-9145: Local command injection in Wiz Code Visual Studio Code extension

Vendor Wiz
Product Wiz Code Visual Studio Code extension
Weakness CWE-77
Published October 1, 2024
Last update November 21, 2024

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Wiz Code Visual Studio Code extension in versions 1.0.0 up to 1.5.3 and Wiz (legacy) Visual Studio Code extension in versions 0.13.0 up to 0.17.8 are vulnerable to local command injection if the user opens a maliciously crafted Dockerfile located in a path that has been marked as a "trusted folder" within Visual Studio Code, and initiates a manual scan of the file.

Key dates

02Disclosure timeline

October 1, 2024 CVE published
November 21, 2024 Record updated