U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-3094

Change History

New CVE Received by NIST 3/29/2024 1:15:21 PM

Action Type Old Value New Value
Added CVSS V3.1

Red Hat, Inc. AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Added CWE

Red Hat, Inc. CWE-506
Added Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.
Added Reference

Red Hat, Inc. https://access.redhat.com/security/cve/CVE-2024-3094 [No types assigned]
Added Reference

Red Hat, Inc. https://bugzilla.redhat.com/show_bug.cgi?id=2272210 [No types assigned]
Added Reference

Red Hat, Inc. https://www.openwall.com/lists/oss-security/2024/03/29/4 [No types assigned]
Added Reference

Red Hat, Inc. https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users [No types assigned]