Vulnerability Details : CVE-2022-4883
A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
Vulnerability category: File inclusion
Products affected by CVE-2022-4883
- cpe:2.3:a:x.org:libxpm:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-4883
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-4883
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2022-4883
-
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Assigned by: secalert@redhat.com (Primary)
References for CVE-2022-4883
-
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
Issues handling XPM files in libXpm prior to 3.5.15 (!9) · Merge requests · xorg / lib / libXpm · GitLab
-
https://bugzilla.redhat.com/show_bug.cgi?id=2160213
2160213 – (CVE-2022-4883) CVE-2022-4883 libXpm: compression commands depend on $PATHIssue Tracking;Patch;Third Party Advisory
-
https://lists.x.org/archives/xorg-announce/2023-January/003312.html
X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15
-
https://lists.debian.org/debian-lts-announce/2023/06/msg00021.html
[SECURITY] [DLA 3459-1] libxpm security update
-
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669
Fix CVE-2022-4883: compression commands depend on $PATH (515294bb) · Commits · xorg / lib / libXpm · GitLab
Jump to