cbcvebase.
CVE-2022-1271
published 2022-08-31

CVE-2022-1271: An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.06%
89.4th percentile
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Affected

19 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiangzip< gzip 1.12-1 (bookworm)gzip 1.12-1 (bookworm)
debianxz-utils< gzip 1.12-1 (bookworm)gzip 1.12-1 (bookworm)
gnugzip< 1.121.12
gzipgzip>= 0 < 1.10-4+deb11u11.10-4+deb11u1
gzipgzip>= 0 < 1.12-11.12-1
gzipgzip>= 0 < 1.12-11.12-1
gzipgzip>= 0 < 1.12-11.12-1
msrccbl2_gzip_1.12-1_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_gzip_1.12-1_on_cbl_mariner_1.0
openzeppelincontracts>= 4.1.0 < 4.7.14.7.1
openzeppelincontracts-upgradeable>= 4.1.0 < 4.7.14.7.1
paloaltopan-os
redhatjboss_data_grid
tukaanixz< 5.2.55.2.5

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector: zgrep/xzgrep processing of specially crafted filenames containing two or more newlines, where selected content and target file names are embedded in crafted multi-line file names, triggers arbitrary file write.
  • Vulnerability was introduced in gzip version 1.3.10; systems running gzip >= 1.3.10 and unpatched are in scope for this CVE.
  • Monitor for zgrep or xzgrep invocations where the filename argument contains newline characters (\n), which is the core exploitation primitive for this vulnerability.
  • Audit automated systems or pipelines that invoke zgrep/xzgrep on externally-supplied or user-controlled filenames, as these are the primary exploitation path for a remote, low-privileged attacker.
  • ·Debian fixed versions are available: bookworm/forky/sid/trixie fixed in gzip 1.12-1; bullseye fixed in 1.10-4+deb11u1. Unpatched Debian systems on these branches remain vulnerable.
  • ·Red Hat Enterprise Linux 6 is affected but out of support scope; gzip was not included in the RHEL 6 ELS Inclusion List, so no official patch will be provided for that platform.
  • ·Both gzip (zgrep) and xz-utils (xzgrep) are affected; detection and patching efforts must cover both packages.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
vendor_oracle7.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.