CVE-2024-47611

Summary

CVE-2024-47611 identifies a command line argument injection vulnerability in XZ Utils version 5.6.2 and earlier, specifically when built for native Windows environments like MinGW-w64 or MSVC. This issue arises when Unicode characters in command lines are improperly converted, allowing for potential exploitation via malicious filenames that can lead to argument injection or directory traversal attacks. Affected products include various command line tools from XZ Utils, while those built for Cygwin or MSYS2, as well as liblzma, remain unaffected. The vulnerability has been addressed in version 5.6.3 of XZ Utils. Organizations are advised to upgrade to the latest version to mitigate the risk associated with this vulnerability, which presents a low exploitability score but could still be used maliciously across network attack vectors.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.