CVE-2022-1271

2022-04-0700:00:00

ubuntu.com

arbitrary file write

gnu gzip

zgrep

insufficient validation

remote attacker

low privileged

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.012

Percentile

85.7%

JSON

An arbitrary file write vulnerability was found in GNU gzip’s zgrep
utility. When zgrep is applied on the attacker’s chosen file name (for
example, a crafted file name), this can overwrite an attacker’s content to
an arbitrary attacker-selected file. This flaw occurs due to insufficient
validation when processing filenames with two or more newlines where
selected content and the target file names are embedded in crafted
multi-line file names. This flaw allows a remote, low privileged attacker
to force zgrep to write arbitrary files on the system.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchgzip< 1.6-5ubuntu1.2UNKNOWN
ubuntu20.04noarchgzip< 1.10-0ubuntu4.1UNKNOWN
ubuntu21.10noarchgzip< 1.10-4ubuntu1.1UNKNOWN
ubuntu22.04noarchgzip< 1.10-4ubuntu4UNKNOWN
ubuntu14.04noarchgzip< 1.6-3ubuntu1+esm1UNKNOWN
ubuntu16.04noarchgzip< 1.6-4ubuntu1+esm1UNKNOWN
ubuntu18.04noarchxz-utils< 5.2.2-1.3ubuntu0.1UNKNOWN
ubuntu20.04noarchxz-utils< 5.2.4-1ubuntu1.1UNKNOWN
ubuntu21.10noarchxz-utils< 5.2.5-2ubuntu0.1UNKNOWN
ubuntu22.04noarchxz-utils< 5.2.5-2ubuntu1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	gzip	< 1.6-5ubuntu1.2	UNKNOWN
ubuntu	20.04	noarch	gzip	< 1.10-0ubuntu4.1	UNKNOWN
ubuntu	21.10	noarch	gzip	< 1.10-4ubuntu1.1	UNKNOWN
ubuntu	22.04	noarch	gzip	< 1.10-4ubuntu4	UNKNOWN
ubuntu	14.04	noarch	gzip	< 1.6-3ubuntu1+esm1	UNKNOWN
ubuntu	16.04	noarch	gzip	< 1.6-4ubuntu1+esm1	UNKNOWN
ubuntu	18.04	noarch	xz-utils	< 5.2.2-1.3ubuntu0.1	UNKNOWN
ubuntu	20.04	noarch	xz-utils	< 5.2.4-1ubuntu1.1	UNKNOWN
ubuntu	21.10	noarch	xz-utils	< 5.2.5-2ubuntu0.1	UNKNOWN
ubuntu	22.04	noarch	xz-utils	< 5.2.5-2ubuntu1	UNKNOWN