CVE-2022-45063: Command Injection
First published: Thu Nov 10 2022(Updated: )
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| xterm | <375 | |
| Fedora | =35 | |
| Fedora | =36 | |
| Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2022/11/10/1
- http://www.openwall.com/lists/oss-security/2022/11/10/5
- https://invisible-island.net/xterm/xterm.log.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4TPVNTYFFWNTGZJJQAA4MGGFSTXA4XEA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5T2JI5JCHPTXX2KJU45H2XAHQSFVEJ2Y/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVD3I2ZFXGOY6BA2FNS7WPFMPFBDHFWC/
- https://news.ycombinator.com/item?id=33546415
- https://security.gentoo.org/glsa/202211-09
- https://www.openwall.com/lists/oss-security/2022/11/10/1
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IVD3I2ZFXGOY6BA2FNS7WPFMPFBDHFWC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TPVNTYFFWNTGZJJQAA4MGGFSTXA4XEA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5T2JI5JCHPTXX2KJU45H2XAHQSFVEJ2Y/
- http://www.openwall.com/lists/oss-security/2024/06/15/1
- http://www.openwall.com/lists/oss-security/2024/06/17/1
Frequently Asked Questions
What is the severity of CVE-2022-45063?
CVE-2022-45063 is considered a critical vulnerability due to the potential for remote code execution.
How do I fix CVE-2022-45063?
To fix CVE-2022-45063, upgrade xterm to version 375 or later.
What does CVE-2022-45063 affect?
CVE-2022-45063 affects xterm prior to version 375 and certain versions of Fedora 35, 36, and 37.
Can CVE-2022-45063 exploit command execution?
Yes, CVE-2022-45063 can lead to command execution through crafted font operations.
Is CVE-2022-45063 commonly found in default configurations?
No, font operations that trigger CVE-2022-45063 are generally not allowed in the default configurations of some Linux distributions.
- agent/type
- agent/severity
- agent/weakness
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/author
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/trending
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/invisible-island
- canonical/xterm
- vendor/fedoraproject
- canonical/fedora
- version/fedora/35
- version/fedora/36
- version/fedora/37