CVE-2024-3094

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3094.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-3094

Aliases

GHSA-rxwq-x6h5-x525

Related

Published

2024-03-29T17:15:21Z

Modified

2024-12-05T15:37:02.815503Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

References

Affected packages

Alpine:v3.15 / lighttpd

Package

Name: lighttpd
Purl: pkg:apk/alpine/lighttpd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.76-r0

Affected versions

1.*

1.4.20-r1

1.4.20-r2

1.4.22-r0

1.4.23-r0

1.4.23-r1

1.4.23-r2

1.4.24-r0

1.4.25-r0

1.4.25-r1

1.4.25-r2

1.4.26-r0

1.4.26-r1

1.4.26-r2

1.4.26-r3

1.4.26-r4

1.4.26-r5

1.4.27-r0

1.4.28-r0

1.4.28-r3

1.4.28-r4

1.4.28-r5

1.4.28-r6

1.4.28-r7

1.4.29-r0

1.4.29-r1

1.4.29-r2

1.4.30-r0

1.4.30-r1

1.4.30-r2

1.4.30-r3

1.4.31-r0

1.4.32-r0

1.4.32-r1

1.4.33-r1

1.4.33-r2

1.4.33-r3

1.4.34-r0

1.4.34-r1

1.4.35-r0

1.4.35-r1

1.4.35-r2

1.4.35-r3

1.4.35-r4

1.4.36-r0

1.4.37-r0

1.4.38-r0

1.4.39-r0

1.4.39-r1

1.4.39-r2

1.4.39-r3

1.4.39-r4

1.4.40-r0

1.4.40-r1

1.4.42-r0

1.4.43-r0

1.4.44-r0

1.4.45-r0

1.4.45-r1

1.4.47-r0

1.4.47-r1

1.4.48-r0

1.4.48-r1

1.4.49-r0

1.4.49-r1

1.4.50-r0

1.4.50-r1

1.4.52-r0

1.4.53-r0

1.4.53-r1

1.4.54-r0

1.4.54-r1

1.4.55-r0

1.4.55-r1

1.4.56-r0

1.4.57-r0

1.4.59-r0

1.4.59-r1

1.4.59-r2

1.4.60-r0

1.4.61-r0

1.4.61-r1

1.4.64-r0

1.4.73-r0

Alpine:v3.16 / lighttpd

Package

Name: lighttpd
Purl: pkg:apk/alpine/lighttpd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.76-r0

Affected versions

1.*

1.4.20-r1

1.4.20-r2

1.4.22-r0

1.4.23-r0

1.4.23-r1

1.4.23-r2

1.4.24-r0

1.4.25-r0

1.4.25-r1

1.4.25-r2

1.4.26-r0

1.4.26-r1

1.4.26-r2

1.4.26-r3

1.4.26-r4

1.4.26-r5

1.4.27-r0

1.4.28-r0

1.4.28-r3

1.4.28-r4

1.4.28-r5

1.4.28-r6

1.4.28-r7

1.4.29-r0

1.4.29-r1

1.4.29-r2

1.4.30-r0

1.4.30-r1

1.4.30-r2

1.4.30-r3

1.4.31-r0

1.4.32-r0

1.4.32-r1

1.4.33-r1

1.4.33-r2

1.4.33-r3

1.4.34-r0

1.4.34-r1

1.4.35-r0

1.4.35-r1

1.4.35-r2

1.4.35-r3

1.4.35-r4

1.4.36-r0

1.4.37-r0

1.4.38-r0

1.4.39-r0

1.4.39-r1

1.4.39-r2

1.4.39-r3

1.4.39-r4

1.4.40-r0

1.4.40-r1

1.4.42-r0

1.4.43-r0

1.4.44-r0

1.4.45-r0

1.4.45-r1

1.4.47-r0

1.4.47-r1

1.4.48-r0

1.4.48-r1

1.4.49-r0

1.4.49-r1

1.4.50-r0

1.4.50-r1

1.4.52-r0

1.4.53-r0

1.4.53-r1

1.4.54-r0

1.4.54-r1

1.4.55-r0

1.4.55-r1

1.4.56-r0

1.4.57-r0

1.4.59-r0

1.4.59-r1

1.4.59-r2

1.4.60-r0

1.4.61-r0

1.4.61-r1

1.4.62-r0

1.4.63-r0

1.4.64-r0

1.4.73-r0

Alpine:v3.17 / lighttpd

Package

Name: lighttpd
Purl: pkg:apk/alpine/lighttpd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.76-r0

Affected versions

1.*

1.4.20-r1

1.4.20-r2

1.4.22-r0

1.4.23-r0

1.4.23-r1

1.4.23-r2

1.4.24-r0

1.4.25-r0

1.4.25-r1

1.4.25-r2

1.4.26-r0

1.4.26-r1

1.4.26-r2

1.4.26-r3

1.4.26-r4

1.4.26-r5

1.4.27-r0

1.4.28-r0

1.4.28-r3

1.4.28-r4

1.4.28-r5

1.4.28-r6

1.4.28-r7

1.4.29-r0

1.4.29-r1

1.4.29-r2

1.4.30-r0

1.4.30-r1

1.4.30-r2

1.4.30-r3

1.4.31-r0

1.4.32-r0

1.4.32-r1

1.4.33-r1

1.4.33-r2

1.4.33-r3

1.4.34-r0

1.4.34-r1

1.4.35-r0

1.4.35-r1

1.4.35-r2

1.4.35-r3

1.4.35-r4

1.4.36-r0

1.4.37-r0

1.4.38-r0

1.4.39-r0

1.4.39-r1

1.4.39-r2

1.4.39-r3

1.4.39-r4

1.4.40-r0

1.4.40-r1

1.4.42-r0

1.4.43-r0

1.4.44-r0

1.4.45-r0

1.4.45-r1

1.4.47-r0

1.4.47-r1

1.4.48-r0

1.4.48-r1

1.4.49-r0

1.4.49-r1

1.4.50-r0

1.4.50-r1

1.4.52-r0

1.4.53-r0

1.4.53-r1

1.4.54-r0

1.4.54-r1

1.4.55-r0

1.4.55-r1

1.4.56-r0

1.4.57-r0

1.4.59-r0

1.4.59-r1

1.4.59-r2

1.4.60-r0

1.4.61-r0

1.4.61-r1

1.4.62-r0

1.4.63-r0

1.4.64-r0

1.4.65-r0

1.4.65-r1

1.4.66-r0

1.4.67-r0

1.4.73-r0

Alpine:v3.18 / lighttpd

Package

Name: lighttpd
Purl: pkg:apk/alpine/lighttpd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.76-r0

Affected versions

1.*

1.4.20-r1

1.4.20-r2

1.4.22-r0

1.4.23-r0

1.4.23-r1

1.4.23-r2

1.4.24-r0

1.4.25-r0

1.4.25-r1

1.4.25-r2

1.4.26-r0

1.4.26-r1

1.4.26-r2

1.4.26-r3

1.4.26-r4

1.4.26-r5

1.4.27-r0

1.4.28-r0

1.4.28-r3

1.4.28-r4

1.4.28-r5

1.4.28-r6

1.4.28-r7

1.4.29-r0

1.4.29-r1

1.4.29-r2

1.4.30-r0

1.4.30-r1

1.4.30-r2

1.4.30-r3

1.4.31-r0

1.4.32-r0

1.4.32-r1

1.4.33-r1

1.4.33-r2

1.4.33-r3

1.4.34-r0

1.4.34-r1

1.4.35-r0

1.4.35-r1

1.4.35-r2

1.4.35-r3

1.4.35-r4

1.4.36-r0

1.4.37-r0

1.4.38-r0

1.4.39-r0

1.4.39-r1

1.4.39-r2

1.4.39-r3

1.4.39-r4

1.4.40-r0

1.4.40-r1

1.4.42-r0

1.4.43-r0

1.4.44-r0

1.4.45-r0

1.4.45-r1

1.4.47-r0

1.4.47-r1

1.4.48-r0

1.4.48-r1

1.4.49-r0

1.4.49-r1

1.4.50-r0

1.4.50-r1

1.4.52-r0

1.4.53-r0

1.4.53-r1

1.4.54-r0

1.4.54-r1

1.4.55-r0

1.4.55-r1

1.4.56-r0

1.4.57-r0

1.4.59-r0

1.4.59-r1

1.4.59-r2

1.4.60-r0

1.4.61-r0

1.4.61-r1

1.4.62-r0

1.4.63-r0

1.4.64-r0

1.4.65-r0

1.4.65-r1

1.4.66-r0

1.4.67-r0

1.4.68-r0

1.4.69-r0

1.4.69-r1

1.4.69-r2

1.4.70-r0

1.4.71-r0

1.4.73-r0

Alpine:v3.20 / xz

Package

Name: xz
Purl: pkg:apk/alpine/xz?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.1-r2

Affected versions

5.*

5.0.0-r0

5.0.1-r0

5.0.2-r0

5.0.3-r0

5.0.3-r1

5.0.4-r0

5.0.4-r1

5.0.5-r0

5.0.6-r0

5.0.7-r0

5.2.0-r0

5.2.1-r0

5.2.2-r0

5.2.2-r1

5.2.3-r0

5.2.3-r1

5.2.4-r0

5.2.5-r0

5.2.5-r1

5.2.6-r0

5.2.6-r1

5.2.7-r0

5.2.8-r0

5.2.9-r0

5.4.0-r0

5.4.0-r1

5.4.1-r0

5.4.2-r0

5.4.2-r1

5.4.3-r0

5.4.3-r1

5.4.4-r0

5.4.5-r0

5.4.6-r0

5.6.1-r0

5.6.1-r1

Alpine:v3.21 / xz

Package

Name: xz
Purl: pkg:apk/alpine/xz?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.1-r2

Affected versions

5.*

5.0.0-r0

5.0.1-r0

5.0.2-r0

5.0.3-r0

5.0.3-r1

5.0.4-r0

5.0.4-r1

5.0.5-r0

5.0.6-r0

5.0.7-r0

5.2.0-r0

5.2.1-r0

5.2.2-r0

5.2.2-r1

5.2.3-r0

5.2.3-r1

5.2.4-r0

5.2.5-r0

5.2.5-r1

5.2.6-r0

5.2.6-r1

5.2.7-r0

5.2.8-r0

5.2.9-r0

5.4.0-r0

5.4.0-r1

5.4.1-r0

5.4.2-r0

5.4.2-r1

5.4.3-r0

5.4.3-r1

5.4.4-r0

5.4.5-r0

5.4.6-r0

5.6.1-r0

5.6.1-r1

Debian:13 / xz-utils

Package

Name: xz-utils
Purl: pkg:deb/debian/xz-utils?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.1+really5.4.5-1

Affected versions

5.*

5.4.1-0.2

5.4.4-0.1

5.4.5-0.1

5.4.5-0.2

5.4.5-0.3

5.5.1alpha-0.1

5.5.2beta-1

5.6.0-0.1

5.6.0-0.2

5.6.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / git.tukaani.org/xz.git

Affected ranges

Type: GIT
Repo: https://git.tukaani.org/xz.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

2d7d862e3ffa8cec4fd3fdffcd84e984a17aa429

Last affected

fd1b975b7851e081ed6e5cf63df946cd5cbdbb94

Affected versions

v4.*

v4.42.2alpha

v4.999.3alpha

v4.999.5alpha

v4.999.7beta

v4.999.8beta

v4.999.9beta

v5.*

v5.0.0

v5.1.0alpha

v5.1.1alpha

v5.1.2alpha

v5.1.3alpha

v5.1.4beta

v5.2.0

v5.2.1

v5.3.1alpha

v5.3.2alpha

v5.3.3alpha

v5.3.4alpha

v5.3.5beta

v5.4.0

v5.5.0alpha

v5.5.1alpha

v5.5.2beta

v5.6.0