Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2022-1271

Public on 2022-04-25
Modified on 2022-10-25
Description

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Severity
Important
See what this means
CVSS v3 Base Score
7.1
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 gzip 2022-05-31 23:47 ALAS-2022-1590
Amazon Linux 2 - Core gzip 2022-04-25 22:56 ALAS2-2022-1782
Amazon Linux 2023 gzip 2023-02-17 20:44 ALAS2023-2023-043
Amazon Linux 1 xz 2022-05-31 23:47 ALAS-2022-1598
Amazon Linux 2 - Core xz 2022-04-25 22:56 ALAS2-2022-1782
Amazon Linux 2023 xz 2023-02-17 20:44 ALAS2023-2023-042

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
NVD CVSSv3 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H