CVE-2024-9145

HIGH

Wiz Code <1.5.3 - Local Command Injection

Title source: llm

Description

Wiz Code Visual Studio Code extension in versions 1.0.0 up to 1.5.3 and Wiz (legacy) Visual Studio Code extension in versions 0.13.0 up to 0.17.8 are vulnerable to local command injection if the user opens a maliciously crafted Dockerfile located in a path that has been marked as a "trusted folder" within Visual Studio Code, and initiates a manual scan of the file.

References (3)

Core 3

Core References

Various Sources

https://marketplace.visualstudio.com/items/WizCloud.wiz-vscode/changelog

Various Sources

https://marketplace.visualstudio.com/items/WizCloud.wizcli-vscode/changelog

Various Sources

https://www.wiz.io/security-advisories

Scores

CVSS v4 7.1

EPSS 0.0076

EPSS Percentile 50.5%

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-77

Status published

Products (2)

Wiz/Wiz Code Visual Studio Code extension 0.13.0 - 0.17.8

Wiz/Wiz Code Visual Studio Code extension 1.0.0 - 1.5.3

Published Oct 01, 2024

Tracked Since Feb 18, 2026