Security Flaw in libXpm Affects File Compression Handling
CVE-2022-4883

8.8HIGH

Key Information:

Vendor: X.org
Status: Libxpm
Vendor: CVE Published:; 7 February 2023

What is CVE-2022-4883?

A security issue was identified in libXpm where it improperly handles files with .Z or .gz extensions. The library calls external programs for file compression and decompression while relying on the PATH environment variable to find these programs. This dependency can be exploited by a malicious user who manipulates the PATH, potentially leading to the execution of arbitrary programs. Users of libXpm are advised to apply security patches to mitigate this risk.

Affected Version(s)

libXpm 3.5.15

References

https://bugzilla.redhat.com/show_bug.cgi?id=2160213

https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_re...

https://lists.x.org/archives/xorg-announce/2023-January/0...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 7, 2023
Vulnerability Reserved
Jan 9, 2023

X.org

What is CVE-2022-4883?

Affected Version(s)

References

CVSS V3.1

Timeline