CVE-2022-4883Untrusted Search Path in Libxpm

CWE-426Untrusted Search Path11 documents9 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 59.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
X.org Libxpm
Timeline
PublishedFeb 7
Latest updateFeb 21

Description

A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDx.org/libxpm< 3.5.15
Debianx.org/libxpm< 1:3.5.12-1.1~deb11u1+3
CVEListV5x.org/libxpm3.5.15

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
OSV
CVE-2022-4883: A flaw was found in libXpm2023-02-07
GHSA
GHSA-75px-q76w-83rc: A flaw was found in libXpm2023-02-07
CVEList
CVE-2022-4883: A flaw was found in libXpm2023-02-07

📋Vendor Advisories

7
Ubuntu
libXpm vulnerabilities2023-02-21
Microsoft
A flaw was found in libXpm. When processing files with .Z or .gz extensions the library calls external programs to compress and uncompress files relying on the PATH environment variable to find these 2023-02-14
BSD
OpenBSD 7.1 Errata 019: SECURITY FIX2023-01-17
BSD
OpenBSD 7.2 Errata 014: SECURITY FIX2023-01-17
Ubuntu
libXpm vulnerabilities2023-01-17
CVE-2022-4883 — Untrusted Search Path in X.org Libxpm | cvebase