Main Vulnerability Database Vulnerabilities #VU62002

#VU62002 Input validation error in Gzip - CVE-2022-1271

Published: April 8, 2022 / Updated: April 12, 2022

Vulnerability identifier: #VU62002

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2022-1271

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Gzip

Software vendor:
GNU

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation when processing filenames with two or more newlines. A remote attacker can force zgrep or xzgrep to write arbitrary files on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Remediation

Install updates from vendor's website.

External links

https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c
https://savannah.gnu.org/forum/forum.php?forum_id=10157
https://www.zerodayinitiative.com/advisories/ZDI-22-619/