#VU62002 Input validation error in Gzip


Published: 2022-04-08 | Updated: 2022-04-12

Vulnerability identifier: #VU62002

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1271

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
Gzip
Client/Desktop applications / Software for archiving

Vendor: GNU

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation when processing filenames with two or more newlines. A remote attacker can force zgrep or xzgrep to write arbitrary files on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Gzip: 1.2.4 - 1.11

Fixed software versions

CPE

External links
http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c
http://savannah.gnu.org/forum/forum.php?forum_id=10157
http://www.zerodayinitiative.com/advisories/ZDI-22-619/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4
Multiple vulnerabilities in OpenShift sandboxed containers 1.4
Multiple vulnerabilities in IBM Security Guardium
Multiple vulnerabilities in OpenShift Container Platform 4.11
Multiple vulnerabilities in Red Hat OpenShift Data Foundation 4.13
Multiple vulnerabilities in OpenShift Container Platform 4.13
Multiple vulnerabilities in NetObserv Operator
Input validation error in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Multiple vulnerabilities in Dell VxRail Appliance components