Vulnerability Description
A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| X.Org | Libxpm | < 3.5.15 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2160213Issue TrackingPatchThird Party Advisory
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
- https://lists.debian.org/debian-lts-announce/2023/06/msg00021.html
- https://lists.x.org/archives/xorg-announce/2023-January/003312.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2160213Issue TrackingPatchThird Party Advisory
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
- https://lists.debian.org/debian-lts-announce/2023/06/msg00021.html
- https://lists.x.org/archives/xorg-announce/2023-January/003312.html
FAQ
What is CVE-2022-4883?
CVE-2022-4883 is a vulnerability with a CVSS score of 8.8 (HIGH). A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find thes...
How severe is CVE-2022-4883?
CVE-2022-4883 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-4883?
Check the references section above for vendor advisories and patch information. Affected products include: X.Org Libxpm.