CVE-2015-4035Improper Input Validation in XZ

CWE-20Improper Input ValidationCWE-77Command Injection6 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.6%
top 30.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Tukaani XZ
Timeline
PublishedJul 25
Latest updateMay 14

Description

scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

NVDtukaani/xz4.999.9

🔴Vulnerability Details

2
GHSA
GHSA-mf33-8p24-6h53: scripts/xzgrep2022-05-14
CVEList
CVE-2015-4035: scripts/xzgrep2017-07-25

📋Vendor Advisories

2
Red Hat
xzgrep: incorrect parsing of filenames containing a semicolon2015-05-18
Debian
CVE-2015-4035: xz-utils - scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly p...2015

💬Community

1
Bugzilla
CVE-2015-4035 xzgrep: incorrect parsing of filenames containing a semicolon2015-05-20
CVE-2015-4035 — Improper Input Validation in Tukaani XZ | cvebase