UBUNTU-CVE-2024-11477

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-11477

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-11477.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-11477

Related

CVE-2024-11477

Published

2024-11-22T21:15:00Z

Modified

2025-01-13T10:24:48Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of Zstandard decompression. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24346.

References

Affected packages

Ubuntu:Pro:14.04:LTS / p7zip

Package

Name: p7zip
Purl: pkg:deb/ubuntu/p7zip@9.20.1~dfsg.1-4+deb7u3build0.14.04.1?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.20.1~dfsg.1-4

9.20.1~dfsg.1-4+deb7u1build0.14.04.1

9.20.1~dfsg.1-4+deb7u2build0.14.04.1

9.20.1~dfsg.1-4+deb7u3build0.14.04.1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:16.04:LTS / p7zip

Package

Name: p7zip
Purl: pkg:deb/ubuntu/p7zip@9.20.1~dfsg.1-4.2ubuntu0.1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.20.1~dfsg.1-4.2

9.20.1~dfsg.1-4.2ubuntu0.1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / p7zip

Package

Name: p7zip
Purl: pkg:deb/ubuntu/p7zip@16.02+dfsg-6?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

16.*

16.02+dfsg-4

16.02+dfsg-5

16.02+dfsg-6

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / p7zip

Package

Name: p7zip
Purl: pkg:deb/ubuntu/p7zip@16.02+dfsg-7build1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

16.*

16.02+dfsg-7

16.02+dfsg-7build1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / 7zip

Package

Name: 7zip
Purl: pkg:deb/ubuntu/7zip@21.07+dfsg-4?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

21.*

21.03~beta+dfsg-6

21.04~beta+dfsg-1

21.06+dfsg-1

21.07+dfsg-1

21.07+dfsg-2

21.07+dfsg-3

21.07+dfsg-4

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / p7zip

Package

Name: p7zip
Purl: pkg:deb/ubuntu/p7zip@16.02+dfsg-8?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

16.*

16.02+dfsg-8

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / 7zip

Package

Name: 7zip
Purl: pkg:deb/ubuntu/7zip@24.08+dfsg-1?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

24.08+dfsg-1

Affected versions

23.*

23.01+dfsg-11

23.01+dfsg-12

24.*

24.05+dfsg-3

24.06+dfsg-2

24.06+dfsg-3

24.06+dfsg-4

24.07+dfsg-1

24.07+dfsg-2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "24.08+dfsg-1",
            "binary_name": "7zip"
        },
        {
            "binary_version": "24.08+dfsg-1",
            "binary_name": "7zip-dbgsym"
        },
        {
            "binary_version": "24.08+dfsg-1",
            "binary_name": "7zip-standalone"
        },
        {
            "binary_version": "24.08+dfsg-1",
            "binary_name": "7zip-standalone-dbgsym"
        }
    ]
}

Ubuntu:24.04:LTS / 7zip

Package

Name: 7zip
Purl: pkg:deb/ubuntu/7zip@23.01+dfsg-11?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.01+dfsg-3

23.01+dfsg-7

23.01+dfsg-8

23.01+dfsg-11

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / p7zip

Package

Name: p7zip
Purl: pkg:deb/ubuntu/p7zip@16.02+transitional.1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.02+transitional.1

Affected versions

16.*

16.02+dfsg-8

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "16.02+transitional.1",
            "binary_name": "p7zip"
        },
        {
            "binary_version": "16.02+transitional.1",
            "binary_name": "p7zip-full"
        }
    ]
}