Security Advisories

This page contains information regarding security vulnerabilities that could affect Wiz products.


Date: September 11, 2024

Title: Security Update for Wiz Visual Studio Code Extension

Summary:

On September 11, 2024, Wiz was notified by a security researcher of a vulnerability affecting the Wiz Visual Studio Code Extension.

Upon review, Wiz confirmed that the vulnerability could permit local command injection on a developer workstation when certain preconditions were met: an affected user of the extension would have to open a maliciously crafted Docker image file, do so from a file path that has been marked as a “trusted folder” within Visual Studio Code, and initiate a manual scan of the file.

This issue only affects users of the Wiz VS Code Extension that interact with a maliciously crafted file as described above.

The Wiz cloud platform and products are not affected. Wiz would like to thank Rohit Kumar (@rohitcoder) for identifying and notifying us of this vulnerability. Wiz supports responsible disclosure by the security researcher community, and maintains a security disclosures page with details on how to submit findings and eligibility criteria.

Affected Versions of the Wiz Code Extension:
Wiz has two generations of the Wiz extension on the VS Code marketplace.
The impacted versions are:

Wiz (legacy): Versions 0.13.0 - 0.17.8 are vulnerable; fix is in version 0.17.9 and greater.
Wiz Code: Versions 1.0.0 - 1.5.3 are vulnerable; fix is in version 1.5.4 and greater.

Actions Recommended:
Users that have installed the Wiz Code Extension should update it to the fixed versions specified above. As a workaround prior to upgrading, users can also disable the “pull” feature in the extension via: wiz.pullDockerfileImages  to avoid pulling images before scanning a dockerfile base image.

Note that for compatibility reasons, the Wiz Code VS Code Extension 1.5.4 requires upgrading Wiz CLI to version 0.46.0.

Wiz customers that need additional assistance can open a support ticket - our teams are ready to help as needed!

Timeline (all times in UTC):
2024-09-11 13:44 - Researcher contacts Wiz security team to share details on the vulnerability
2024-09-11 14:08 - Wiz Engineering validates the issue and starts working on a fix
2024-09-11 14:18 - Wiz Security Team e-mails researcher to acknowledge receipt
2024-09-11 17:11 - Wiz Engineering publishes fixed version of extensions to VS Code Marketplace