CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
95.8%
Software: xz 5.2.4
OS: ROSA Virtualization 2.1
package_evr_string: xz-5.2.4-1
CVE-ID: CVE-2024-3094
BDU-ID: 2024-02406
CVE-Crit: CRITICAL.
CVE-DESC.: Malicious code was discovered in xz source archives starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a pre-created object file from a disguised test file that exists in the source code, which is then used to modify certain functions in the liblzma code. The result is a modified liblzma library that can be used by any software associated with that library that intercepts and modifies data interactions with that library.
CVE-STATUS: Not relevant
CVE-REV: