Vulnerability Details CVE-2021-29482
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.0%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
- https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
- https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
- https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
Products affected by CVE-2021-29482
-
cpe:2.3:a:xz_project:xz:-
-
cpe:2.3:a:xz_project:xz:0.1
-
cpe:2.3:a:xz_project:xz:0.2
-
cpe:2.3:a:xz_project:xz:0.3
-
cpe:2.3:a:xz_project:xz:0.3.1
-
cpe:2.3:a:xz_project:xz:0.4
-
cpe:2.3:a:xz_project:xz:0.4.1
-
cpe:2.3:a:xz_project:xz:0.5
-
cpe:2.3:a:xz_project:xz:0.5.1
-
cpe:2.3:a:xz_project:xz:0.5.2
-
cpe:2.3:a:xz_project:xz:0.5.3
-
cpe:2.3:a:xz_project:xz:0.5.4
-
cpe:2.3:a:xz_project:xz:0.5.5
-
cpe:2.3:a:xz_project:xz:0.5.6
-
cpe:2.3:a:xz_project:xz:0.5.7