Vulnerabilities > CVE-2021-29482 - Infinite Loop vulnerability in XZ Project XZ

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

low complexity

xz-project

CWE-835

NVD

Published: 2021-04-28

Updated: 2021-05-14

Summary

xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.

Vulnerable Configurations

Part	Description	Count
Application	Xz_Project XZ Project XZ - XZ Project XZ 0.1 XZ Project XZ 0.2 XZ Project XZ 0.3 XZ Project XZ 0.3.1 XZ Project XZ 0.4 XZ Project XZ 0.4.1 XZ Project XZ 0.5 XZ Project XZ 0.5.1 XZ Project XZ 0.5.2 XZ Project XZ 0.5.3 XZ Project XZ 0.5.4 XZ Project XZ 0.5.5 XZ Project XZ 0.5.6 XZ Project XZ 0.5.7	15

Common Weakness Enumeration (CWE)

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References