CVE-2024-9145

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 1, 2024 / Updated: 49d ago

010
CVSS 7.1EPSS 0.05%High
CVE info copied to clipboard

Wiz Code Visual Studio Code extension in versions 1.0.0 up to 1.5.3 and Wiz (legacy) Visual Studio Code extension in versions 0.13.0 up to 0.17.8 are vulnerable to local command injection if the user opens a maliciously crafted Dockerfile located in a path that has been marked as a "trusted folder" within Visual Studio Code, and initiates a manual scan of the file.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9145

Oct 1, 2024 at 8:15 AM
First Article

Feedly found the first article mentioning CVE-2024-9145. See article

Oct 1, 2024 at 8:24 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 1, 2024 at 8:24 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Oct 2, 2024 at 11:05 AM
Static CVE Timeline Graph

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

NA - CVE-2024-9145 - Wiz Code Visual Studio Code extension in...
Wiz Code Visual Studio Code extension in versions 1.0.0 up to 1.5.3 and Wiz (legacy) Visual Studio Code extension in versions 0.13.0 up to 0.17.8 are vulnerable to local command injection if the...
CVE-2024-9145 | Wiz Code Visual Studio Code Extension up to 0.17.8/1.5.3 Dockerfile command injection
A vulnerability classified as critical was found in Wiz Code Visual Studio Code Extension up to 0.17.8/1.5.3 . This vulnerability affects unknown code of the component Dockerfile Handler . The manipulation leads to command injection. This vulnerability was named CVE-2024-9145 . An attack has to be approached locally. There is no exploit available.
CVE-2024-9145 - Wiz Code Visual Studio Code Command Injection Vulnerability
CVE ID : CVE-2024-9145 Published : Oct. 1, 2024, 8:15 a.m. 16 minutes ago Description : Wiz Code Visual Studio Code extension in versions 1.0.0 up to 1.5.3 and Wiz (legacy) Visual Studio Code extension in versions 0.13.0 up to 0.17.8 are vulnerable to local command injection if the user opens a maliciously crafted Dockerfile located in a path that has been marked as a "trusted folder" within Visual Studio Code, and initiates a manual scan of the file. Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-9145
Wiz Code Visual Studio Code extension in versions 1.0.0 up to 1.5.3 and Wiz (legacy) Visual Studio Code extension in versions 0.13.0 up to 0.17.8 are vulnerable to local command injection if the user opens a maliciously crafted Dockerfile located in a path that has been marked as a "trusted folder" within Visual Studio Code, and initiates a manual scan of the...
CVE-2024-9145
Wiz Code Visual Studio Code extension in versions 1.0.0 up to 1.5.3 and Wiz (legacy) Visual Studio Code extension in versions 0.13.0 up to 0.17.8 are vulnerable to local command injection if the user opens a maliciously crafted Dockerfile located in a path that has been marked as a "trusted folder" within Visual Studio Code, and initiates a manual scan of the file.
See 3 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI