What is the severity of CVE-2024-47611?

CVE-2024-47611 is classified as a medium severity vulnerability affecting XZ Utils.

How do I fix CVE-2024-47611?

To fix CVE-2024-47611, update XZ Utils to version 5.6.3 or later.

What type of vulnerability is CVE-2024-47611?

CVE-2024-47611 is a command line argument injection vulnerability that affects XZ Utils.

Which versions of XZ Utils are affected by CVE-2024-47611?

XZ Utils versions 5.6.2 and older are affected by CVE-2024-47611.

What platforms are impacted by CVE-2024-47611?

CVE-2024-47611 impacts XZ Utils when built for native Windows using MinGW-w64 or MSVC.

Vulnerability/
CVE-2024-47611

medium

6.3

CWE

88 176

2/10/2024

21/11/2024

CVE-2024-47611: XZ Utils on Microsoft Windows platform are vulnerable to argument injection

First published: Wed Oct 02 2024(Updated: )

XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the meaning of the command line, which can be exploited with malicious filenames to do argument injection or directory traversal attacks. This vulnerability is fixed in 5.6.3. Command line tools built for Cygwin or MSYS2 are unaffected. liblzma is unaffected.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Xz-utils	<5.6.3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-47611?
CVE-2024-47611 is classified as a medium severity vulnerability affecting XZ Utils.
How do I fix CVE-2024-47611?
To fix CVE-2024-47611, update XZ Utils to version 5.6.3 or later.
What type of vulnerability is CVE-2024-47611?
CVE-2024-47611 is a command line argument injection vulnerability that affects XZ Utils.
Which versions of XZ Utils are affected by CVE-2024-47611?
XZ Utils versions 5.6.2 and older are affected by CVE-2024-47611.
What platforms are impacted by CVE-2024-47611?
CVE-2024-47611 impacts XZ Utils when built for native Windows using MinGW-w64 or MSVC.

agent/references
agent/title
agent/weakness
agent/first-publish-date
agent/description
agent/type
agent/author
agent/event
agent/severity
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/last-modified-date
agent/source
agent/softwarecombine
agent/tags
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/xz utils
canonical/xz-utils

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.