CVE-2024-47611Argument Injection in Xz-utils

CWE-88Argument InjectionCWE-176Improper Handling of Unicode Encoding3 documents3 sources
Severity
6.3MEDIUMNVD
EPSS
0.4%
top 40.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Tukaani-project XZDebian Xz-utils
Timeline
PublishedOct 2

Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5tukaani-project/xz< 5.6.3

📋Vendor Advisories

2
Red Hat
xz: XZ Utils on Microsoft Windows platform are vulnerable to argument injection2024-10-02
Debian
CVE-2024-47611: xz-utils - XZ Utils provide a general-purpose data-compression library plus command-line to...2024