CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47611 – XZ Utils on Microsoft Windows platform are vulnerable to argument injection
https://notcve.org/view.php?id=CVE-2024-47611
02 Oct 2024 — XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the ... • https://github.com/tukaani-project/xz/commit/bf518b9ba446327a062ddfe67e7e0a5baed2394f • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE-176: Improper Handling of Unicode Encoding •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-22916
https://notcve.org/view.php?id=CVE-2020-22916
22 Aug 2023 — An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase. ** DISPUTA ** Un problema descubierto en XZ 5.2.5 permite a los atacantes provocar una denegación de servicio mediante la descompresión de un archivo manipulado. NOTA: el proveedor cuestiona las... • http://web.archive.org/web/20230918084612/https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability •