CVE-2023-46248 – Overwrite of builtin Cody commands facilitates RCE

https://notcve.org/view.php?id=CVE-2023-46248

31 Oct 2023 — Cody is an artificial intelligence (AI) coding assistant. The Cody AI VSCode extension versions 0.10.0 through 0.14.0 are vulnerable to Remote Code Execution under certain conditions. An attacker in control of a malicious repository could modify the Cody configuration file `.vscode/cody.json` and overwrite Cody commands. If a user with the extension installed opens this malicious repository and runs a Cody command such as /explain or /doc, this could allow arbitrary code execution on the user's machine. The... • https://github.com/sourcegraph/cody/pull/1414 • CWE-15: External Control of System or Configuration Setting •