Lucene search

[email protected]NVD:CVE-2020-22916

HistoryAug 22, 2023 - 7:16 p.m.

CVE-2020-22916

2023-08-2219:16:19

[email protected]

web.nvd.nist.gov

xz decompression crafted file

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

28.3%

JSON

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of “endless output” and “denial of service” because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.

Affected configurations

Nvd

Node

tukaanixzMatch5.2.5

VendorProductVersionCPE
tukaanixz5.2.5cpe:2.3:a:tukaani:xz:5.2.5:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tukaani	xz	5.2.5	cpe:2.3:a:tukaani:xz:5.2.5:::::::*

References

web.archive.org/web/20230918084612/github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability

bugzilla.redhat.com/show_bug.cgi?id=2234987

bugzilla.suse.com/show_bug.cgi?id=1214590

github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability

github.com/tukaani-project/xz/issues/61

security-tracker.debian.org/tracker/CVE-2020-22916

tukaani.org/xz/

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

28.3%

JSON

Related for NVD:CVE-2020-22916

alpinelinux1 prion1 redhatcve1 vulnrichment1 cve1 cvelist1 ubuntucve1 ibm1