CVE-2024-9145

Oct. 4, 2024, 1:51 p.m.

0.0
No Score

Description

Wiz Code Visual Studio Code extension in versions 1.0.0 up to 1.5.3 and Wiz (legacy) Visual Studio Code extension in versions 0.13.0 up to 0.17.8 are vulnerable to local command injection if the user opens a maliciously crafted Dockerfile located in a path that has been marked as a "trusted folder" within Visual Studio Code, and initiates a manual scan of the file.

Product(s) Impacted

Product Versions
Wiz Code Visual Studio Code extension
  • ['1.0.0 up to 1.5.3']
Wiz (legacy) Visual Studio Code extension
  • ['0.13.0 up to 0.17.8']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://marketplace.visualstudio.com/items/WizCloud.wiz-vscode/changelog
https://marketplace.visualstudio.com/items/WizCloud.wizcli-vscode/changelog
https://www.wiz.io/security-advisories

Tags

CWE-77
2024-10-01
CVE-2024-9145
9947ef80-c5d5-474a-bbab-97341a59000e

Timeline

Published: Oct. 1, 2024, 8:15 a.m.
Last Modified: Oct. 4, 2024, 1:51 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

9947ef80-c5d5-474a-bbab-97341a59000e

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.