CVE-2022-1271 — HIGH (8.8) — White Hats Nepal

Q: How severe is CVE-2022-1271?

CVE-2022-1271 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-1271?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gzip, Redhat Jboss Data Grid, Debian Debian Linux, Tukaani Xz.

Vulnerability Description

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gnu	Gzip	< 1.12
Redhat	Jboss Data Grid	7.0.0
Debian	Debian Linux	10.0
Tukaani	Xz	< 5.2.5

Related Weaknesses (CWE)

CWE-20 CWE-179

References

https://access.redhat.com/security/cve/CVE-2022-1271Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2073310Issue TrackingThird Party Advisory
https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0Broken Link
https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.htmlMailing ListPatchVendor Advisory
https://security-tracker.debian.org/tracker/CVE-2022-1271Third Party Advisory
https://security.gentoo.org/glsa/202209-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20220930-0006/Third Party Advisory
https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patchPatchThird Party Advisory
https://www.openwall.com/lists/oss-security/2022/04/07/8Mailing ListPatchThird Party Advisory
https://access.redhat.com/security/cve/CVE-2022-1271Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2073310Issue TrackingThird Party Advisory
https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0Broken Link
https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.htmlMailing ListPatchVendor Advisory
https://security-tracker.debian.org/tracker/CVE-2022-1271Third Party Advisory
https://security.gentoo.org/glsa/202209-01Third Party Advisory

FAQ

What is CVE-2022-1271?

CVE-2022-1271 is a vulnerability with a CVSS score of 8.8 (HIGH). An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker...

How severe is CVE-2022-1271?

CVE-2022-1271 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-1271?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gzip, Redhat Jboss Data Grid, Debian Debian Linux, Tukaani Xz.