Skip to main content

Untrusted Search Path

CVE-2022-4883

Severity High
Score 8.8/10

Summary

A flaw was found in versions prior to 3.5.15. When processing files with ".Z" or ".gz" extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-426 - Untrusted Search Path

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

Advisory Timeline

  • Published