XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the meaning of the command line, which can be exploited with malicious filenames to do argument injection or directory traversal attacks. This vulnerability is fixed in 5.6.3. Command line tools built for Cygwin or MSYS2 are unaffected. liblzma is unaffected.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 0.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}


Wed, 06 Nov 2024 13:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 02 Oct 2024 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Tukaani
Tukaani xz
CPEs cpe:2.3:a:tukaani:xz:*:*:*:*:*:*:*:*
Vendors & Products Tukaani
Tukaani xz
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 02 Oct 2024 14:30:00 +0000

Type Values Removed Values Added
Description XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the meaning of the command line, which can be exploited with malicious filenames to do argument injection or directory traversal attacks. This vulnerability is fixed in 5.6.3. Command line tools built for Cygwin or MSYS2 are unaffected. liblzma is unaffected.
Title XZ Utils on Microsoft Windows platform are vulnerable to argument injection
Weaknesses CWE-176
CWE-88
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-10-02T14:16:07.318Z

Updated: 2024-11-21T16:55:27.310Z

Reserved: 2024-09-27T20:37:22.120Z

Link: CVE-2024-47611

cve-icon Vulnrichment

Updated: 2024-10-02T15:28:34.007Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-02T15:15:14.980

Modified: 2024-11-21T17:15:17.430

Link: CVE-2024-47611

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-10-02T14:16:07Z

Links: CVE-2024-47611 - Bugzilla