CVE-2024-47611

02.10.2024, 15:15

XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the meaning of the command line, which can be exploited with malicious filenames to do argument injection or directory traversal attacks. This vulnerability is fixed in 5.6.3. Command line tools built for Cygwin or MSYS2 are unaffected. liblzma is unaffected.

Argument Injection

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GitHub_M	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Debian Releases

Debian Product

Codename

xz-utils

bullseye (security)	5.2.5-2.1~deb11u1 fixed
bullseye	5.2.5-2.1~deb11u1 fixed
bookworm	5.4.1-1 fixed
bookworm (security)	5.4.1-1 fixed
sid	5.8.1-1 fixed
trixie	5.8.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

xz-utils

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

Common Weakness Enumeration

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References

https://github.com/tukaani-project/xz/commit/bf518b9ba446327a062ddfe67e7e0a5baed2394f

https://github.com/tukaani-project/xz/security/advisories/GHSA-m538-c5qw-3cg4