5.6.1

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

tukaani

CWE-506

critical

NVD

Published: 2024-03-29

Updated: 2024-05-01

Summary

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Vulnerable Configurations

Part	Description	Count
Application	Tukaani Tukaani XZ 5.6.1 Tukaani XZ 5.6.0	2

Common Weakness Enumeration (CWE)

CWE-506 - Embedded Malicious Code

Vulnerabilities > CVE-2024-3094 - Embedded Malicious Code vulnerability in Tukaani XZ 5.6.0/5.6.1

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Related news

References