CVE-2023-46248

Name of the Vulnerable Software and Affected Versions Cody AI VSCode extension versions 0.10.0 through 0.14.0

Description The issue concerns Remote Code Execution under certain conditions. An attacker in control of a malicious repository could modify the Cody configuration file .vscode/cody.json and overwrite Cody commands. If a user with the extension installed opens this malicious repository and runs a Cody command such as /explain or /doc, this could allow arbitrary code execution on the user's machine. The issue is exploitable regardless of the user blocking code execution on a repository through VS Code Workspace Trust. It was found during a regular 3rd party penetration test. The maintainers do not have evidence of open source repositories having malicious .vscode/cody.json files to exploit this issue.

Recommendations For Cody AI VSCode extension versions 0.10.0 through 0.14.0, upgrade to version 0.14.1 to fix the issue. In case users can't promptly upgrade, they should not open any untrusted repositories with the Cody extension loaded.