Vulnerability Description
scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tukaani | Xz | <= 4.999.9 |
| Redhat | Enterprise Linux | 5.0 |
Related Weaknesses (CWE)
References
- http://seclists.org/oss-sec/2015/q2/484Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2015/05/19/13Mailing ListThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1223341Issue TrackingVendor Advisory
- https://git.tukaani.org/?p=xz.git%3Ba=commitdiff%3Bh=f4b2b52624b802c786e4e2a8eb6
- http://seclists.org/oss-sec/2015/q2/484Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2015/05/19/13Mailing ListThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1223341Issue TrackingVendor Advisory
- https://git.tukaani.org/?p=xz.git%3Ba=commitdiff%3Bh=f4b2b52624b802c786e4e2a8eb6
FAQ
What is CVE-2015-4035?
CVE-2015-4035 is a vulnerability with a CVSS score of 7.8 (HIGH). scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xz...
How severe is CVE-2015-4035?
CVE-2015-4035 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-4035?
Check the references section above for vendor advisories and patch information. Affected products include: Tukaani Xz, Redhat Enterprise Linux.