#VU62002 Input validation error


Published: 2022-04-08 | Updated: 2022-04-12

Vulnerability identifier: #VU62002

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1271

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Gzip
Client/Desktop applications / Software for archiving

Vendor: GNU

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation when processing filenames with two or more newlines. A remote attacker can force zgrep or xzgrep to write arbitrary files on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Gzip: 1.2.4 - 1.11


CPE

External links
http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c
http://savannah.gnu.org/forum/forum.php?forum_id=10157
http://www.zerodayinitiative.com/advisories/ZDI-22-619/


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability