CVE-2024-47611

Name of the Vulnerable Software and Affected Versions XZ Utils versions 5.6.2 and older

Description The issue concerns a command line argument injection vulnerability in XZ Utils when built for native Windows. This occurs when Unicode characters in filenames are converted to similar-looking ASCII characters, potentially changing the command line's meaning and allowing for argument injection or directory traversal attacks. The estimated number of potentially affected devices is not specified.

Recommendations For versions 5.6.2 and older, update to version 5.6.3 or newer to resolve the issue. As a temporary workaround, consider avoiding the use of Unicode characters in filenames for command line tools until a patch is applied. Restrict access to sensitive directories to minimize the risk of directory traversal attacks.