CVE-2021-29482
ADVISORY - githubSummary
Impact
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input.
Patches
The problem has been fixed in release v0.5.8.
Workarounds
Limit the size of the compressed file input to a reasonable size for your use case.
References
The standard library had recently the same issue and got the CVE-2020-16845 allocated.
For more information
If you have any questions or comments about this advisory:
- Open an issue in xz.
EPSS Score: 0.00433 (0.622)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Loop with Unreachable Exit Condition ('Infinite Loop')
ADVISORY - github
Loop with Unreachable Exit Condition ('Infinite Loop')
ADVISORY - gitlab
NIST
CREATED
UPDATED
ADVISORY IDCVE-2021-29482
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
7.5highGitHub
CREATED
UPDATED
ADVISORY IDGHSA-25xm-hr59-7c27
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
7.5highDebian
CREATED
UPDATED
ADVISORY IDCVE-2021-29482
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Ubuntu
CREATED
UPDATED
ADVISORY IDCVE-2021-29482
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
7.5mediumGoLang
CREATED
UPDATED
ADVISORY IDGO-2020-0016
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Red Hat
CVSS SCORE
7.5mediumPhoton
CREATED
UPDATED
ADVISORY ID
CVE-2021-29482
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-