CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
95.8%
Malicious code was discovered in the upstream tarballs of xz, starting with
version 5.6.0. Through a series of complex obfuscations, the liblzma build
process extracts a prebuilt object file from a disguised test file existing
in the source code, which is then used to modify specific functions in the
liblzma code. This results in a modified liblzma library that can be used
by any software linked against this library, intercepting and modifying the
data interaction with this library.
Author | Note |
---|---|
Priority reason: Results in a backdoor in sshd | |
mdeslaur | The affected version of xz-utils was only in noble-proposed, and was removed before migrating to noble itself. No released versions of Ubuntu were affected by this issue. |