CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47611 – XZ Utils on Microsoft Windows platform are vulnerable to argument injection
https://notcve.org/view.php?id=CVE-2024-47611
02 Oct 2024 — XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the ... • https://github.com/tukaani-project/xz/commit/bf518b9ba446327a062ddfe67e7e0a5baed2394f • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE-176: Improper Handling of Unicode Encoding •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29482 – denial of service in github.com/ulikunitz/xz
https://notcve.org/view.php?id=CVE-2021-29482
28 Apr 2021 — xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated. xz es una biblioteca de compresión y descompresión que se c... • https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b • CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2015-4035
https://notcve.org/view.php?id=CVE-2015-4035
25 Jul 2017 — scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name. El archivo scripts/xzgrep.in en xzgrep en versión 5.2.x anterior a la 5.0.0, hay una vulnerabilidad que no procesa de manera apropiada los nombres de los archivos que contienen punto y coma, lo que permite a los atacantes remotos ejecutar código arbitrario haciendo que un usuario ej... • http://seclists.org/oss-sec/2015/q2/484 • CWE-20: Improper Input Validation •