CVE-2022-0529

A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
unzip_projectunzip
6.0
redhatenterprise_linux
8.0
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
unzip
bullseye (security)
6.0-26+deb11u1
fixed
bullseye
6.0-26+deb11u1
fixed
sid
6.0-28
fixed
trixie
6.0-28
fixed
bookworm
6.0-28
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
unzip
jammy
Fixed 6.0-26ubuntu3.1
released
impish
ignored
focal
Fixed 6.0-25ubuntu1.1
released
bionic
Fixed 6.0-21ubuntu1.2
released
xenial
Fixed 6.0-20ubuntu1.1+esm1
released
trusty
Fixed 6.0-9ubuntu1.6+esm1
released
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=2051395
https://github.com/ByteHackr/unzip_poc
https://lists.debian.org/debian-lts-announce/2022/09/msg00028.html
https://security.gentoo.org/glsa/202310-17
https://www.debian.org/security/2022/dsa-5202
https://bugzilla.redhat.com/show_bug.cgi?id=2051395
https://github.com/ByteHackr/unzip_poc
https://lists.debian.org/debian-lts-announce/2022/09/msg00028.html
https://security.gentoo.org/glsa/202310-17
https://www.debian.org/security/2022/dsa-5202