{
  "version": "1",
  "package": [
    {
      "name": "xz",
      "layer": "meta",
      "version": "5.4.6",
      "products": [
        {
          "product": "xz",
          "cvesInRecord": "Yes"
        }
      ],
      "issue": [
        {
          "id": "CVE-2015-4035",
          "summary": "scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.",
          "scorev2": "4.6",
          "scorev3": "7.8",
          "vector": "LOCAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-4035"
        },
        {
          "id": "CVE-2020-22916",
          "summary": "An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of \"endless output\" and \"denial of service\" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.",
          "scorev2": "0.0",
          "scorev3": "5.5",
          "vector": "LOCAL",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-22916"
        },
        {
          "id": "CVE-2021-29482",
          "summary": "xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.",
          "scorev2": "5.0",
          "scorev3": "7.5",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29482"
        },
        {
          "id": "CVE-2022-1271",
          "summary": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.",
          "scorev2": "0.0",
          "scorev3": "8.8",
          "vector": "NETWORK",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-1271"
        },
        {
          "id": "CVE-2024-3094",
          "summary": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.",
          "scorev2": "0.0",
          "scorev3": "10.0",
          "vector": "NETWORK",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-3094"
        }
      ]
    }
  ]
}