CVE-2024-3094

Summary

CVE	CVE-2024-3094
State	PUBLISHED
Assigner	Unknown
Source Priority	CVE Program / NVD first with legacy fallback
Published	2024-03-29 17:15:00 UTC
Updated	2024-04-03 06:15:00 UTC
Description	Description unavailable.

Risk And Classification

Problem Types: CWE-506

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Tukaani	Xz	5.6.0	All	All	All
Application	Tukaani	Xz	5.6.1	All	All	All

References

Reference	Source	Link	Tags
research.swtch.com/xz-timeline		research.swtch.com
aws.amazon.com/security/security-bulletins/AWS-2024-002		aws.amazon.com	Third Party Advisory
www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users		www.redhat.com	Vendor Advisory
discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs...		discourse.nixos.org	Third Party Advisory
twitter.com/infosecb/status/1774595540233167206		twitter.com	Press/Media Coverage
bugzilla.suse.com/show_bug.cgi		bugzilla.suse.com	Issue Tracking, Third Party Advisory
twitter.com/debian/status/1774219194638409898		twitter.com	Press/Media Coverage
bugs.gentoo.org/928134		bugs.gentoo.org	Issue Tracking, Third Party Advisory
xeiaso.net/notes/2024/xz-vuln		xeiaso.net	Third Party Advisory
news.ycombinator.com/item		news.ycombinator.com	Issue Tracking
www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromis...		www.cisa.gov	Third Party Advisory, US Government Resource
bugs.debian.org/cgi-bin/bugreport.cgi		bugs.debian.org	Mailing List, Vendor Advisory
openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094		openssf.org	Third Party Advisory
github.com/karcherm/xz-malware		github.com	Third Party Advisory
twitter.com/LetsDefendIO/status/1774804387417751958		twitter.com	Third Party Advisory
gynvael.coldwind.pl		gynvael.coldwind.pl	Technical Description, Third Party Advisory
arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-...		arstechnica.com	Third Party Advisory
tukaani.org/xz-backdoor		tukaani.org	Issue Tracking, Vendor Advisory
lwn.net/Articles/967180		lwn.net	Issue Tracking, Third Party Advisory
news.ycombinator.com/item		news.ycombinator.com	Issue Tracking, Third Party Advisory
RHBZ#2272210		bugzilla.redhat.com	Issue Tracking, Vendor Advisory
ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-pro...		ariadne.space
lists.freebsd.org/archives/freebsd-security/2024-March/000248.html		lists.freebsd.org	Third Party Advisory
news.ycombinator.com/item		news.ycombinator.com
www.kali.org/blog/about-the-xz-backdoor		www.kali.org
twitter.com/infosecb/status/1774597228864139400		twitter.com	Press/Media Coverage
security.archlinux.org/CVE-2024-3094		security.archlinux.org	Third Party Advisory
github.com/amlweems/xzbot		github.com
boehs.org/node/everything-i-know-about-the-xz-backdoor		boehs.org	Third Party Advisory
www.openwall.com/lists/oss-security/2024/03/29/4		www.openwall.com	Mailing List
access.redhat.com/security/cve/CVE-2024-3094		access.redhat.com	Vendor Advisory
www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094		www.vicarius.io
gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27		gist.github.com	Third Party Advisory
lists.debian.org/debian-security-announce/2024/msg00057.html		lists.debian.org	Mailing List, Third Party Advisory
github.com/advisories/GHSA-rxwq-x6h5-x525		github.com	Third Party Advisory
security.alpinelinux.org/vuln/CVE-2024-3094		security.alpinelinux.org	Third Party Advisory
www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-x...		www.darkreading.com	Third Party Advisory
security-tracker.debian.org/tracker/CVE-2024-3094		security-tracker.debian.org	Third Party Advisory
research.swtch.com/xz-script		research.swtch.com
www.theregister.com/2024/03/29/malicious_backdoor_xz		www.theregister.com	Press/Media Coverage
www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-ba...		www.tenable.com	Third Party Advisory
ubuntu.com/security/CVE-2024-3094		ubuntu.com	Third Party Advisory
security.netapp.com/advisory/ntap-20240402-0001		security.netapp.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

379548 XZ Utils SSH Backdoor Versions Detected (CVE-2024-3094)
379582 XZ Utils SSH Backdoor Versions Detected for MacOS
48253 Possible Exposure to xzlib Detected on MacOS
710884 Gentoo Linux XZ utils Backdoor in release tarballs Vulnerability (GLSA 202403-04)