CVE-2015-4035

high

Description

scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.

References

Advisories
More

http://www.openwall.com/lists/oss-security/2015/05/19/13

http://seclists.org/oss-sec/2015/q2/484

https://git.tukaani.org/?p=xz.git%3Ba=commitdiff%3Bh=f4b2b52624b802c786e4e2a8eb6895794dd93b24

https://bugzilla.redhat.com/show_bug.cgi?id=1223341

Details

Source: Mitre, NVD

Published: 2017-07-25

Updated: 2025-04-20

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00387

Detections

Analytics