Wiz Code Visual Studio Code extension in versions 1.0.0... · CVE-2024-9145 · GitHub Advisory Database · GitHub

Wiz Code Visual Studio Code extension in versions 1.0.0...

High severity Unreviewed Published Oct 1, 2024 to the GitHub Advisory Database • Updated Oct 1, 2024

Package

No package listed— Suggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

Wiz Code Visual Studio Code extension in versions 1.0.0 up to 1.5.3 and Wiz (legacy) Visual Studio Code extension in versions 0.13.0 up to 0.17.8 are vulnerable to local command injection if the user opens a maliciously crafted Dockerfile located in a path that has been marked as a "trusted folder" within Visual Studio Code, and initiates a manual scan of the file.

References

Published by the National Vulnerability Database

Oct 1, 2024

Published to the GitHub Advisory Database Oct 1, 2024

Last updated Oct 1, 2024

Severity

High

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Local

Attack Complexity Low

Attack Requirements Present

Privileges Required None

User interaction Active

Vulnerable System Impact Metrics

Confidentiality High

Integrity High

Availability Low

Subsequent System Impact Metrics

Confidentiality None

Integrity None

Availability None

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X