<p>Upgrade <code>Amazon-Linux:2018.03</code> <code>gzip</code> to version 0:1.5-9.20.amzn1 or higher.<br>This issue was patched in <code>ALAS-2022-1590</code>.</p>

Incorrect Behavior Order: Early Validation Affecting gzip package, versions <0:1.5-9.20.amzn1

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS 0.72% (81^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-AMZN201803-GZIP-2866035
published 10 Jun 2022
disclosed 31 Aug 2022

Report a new vulnerability Found a mistake?

Introduced: 10 Jun 2022

CVE-2022-1271 Open this link in a new tab CWE-179 Open this link in a new tab CWE-1173 Open this link in a new tab

How to fix?

Upgrade Amazon-Linux:2018.03 gzip to version 0:1.5-9.20.amzn1 or higher.
This issue was patched in ALAS-2022-1590.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gzip package and not the gzip package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.