{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-02T12:13:51.006","vulnerabilities":[{"cve":{"id":"CVE-2024-3094","sourceIdentifier":"secalert@redhat.com","published":"2024-03-29T17:15:21.150","lastModified":"2025-08-19T01:15:57.407","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."},{"lang":"es","value":"Se descubrió código malicioso en los archivos tar ascendentes de xz, a partir de la versión 5.6.0. A través de una serie de ofuscaciones complejas, el proceso de compilación de liblzma extrae un archivo objeto premanipulado de un archivo de prueba disfrazado existente en el código fuente, que luego se utiliza para modificar funciones específicas en el código de liblzma. Esto da como resultado una librería liblzma modificada que puede ser utilizada por cualquier software vinculado a esta librería, interceptando y modificando la interacción de datos con esta librería."}],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":6.0}]},"weaknesses":[{"source":"secalert@redhat.com","type":"Secondary","description":[{"lang":"en","value":"CWE-506"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:*","matchCriteriaId":"73F1DAD7-F362-4C5B-B980-2E5313C369DA"},{"vulnerable":true,"criteria":"cpe:2.3:a:tukaani:xz:5.6.1:*:*:*:*:*:*:*","matchCriteriaId":"55782A0B-B9C5-4536-A885-84CAB7029C09"}]}]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2024-3094","source":"secalert@redhat.com","tags":["Vendor Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2272210","source":"secalert@redhat.com","tags":["Issue Tracking","Vendor Advisory"]},{"url":"https://www.openwall.com/lists/oss-security/2024/03/29/4","source":"secalert@redhat.com","tags":["Mailing List"]},{"url":"https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users","source":"secalert@redhat.com","tags":["Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2024/03/29/10","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/29/12","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/29/4","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/29/5","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/29/8","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/30/12","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/30/27","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/30/36","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"http://www.openwall.com/lists/oss-security/2024/03/30/5","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"http://www.openwall.com/lists/oss-security/2024/04/16/5","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://access.redhat.com/security/cve/CVE-2024-3094","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]},{"url":"https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://aws.amazon.com/security/security-bulletins/AWS-2024-002/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://boehs.org/node/everything-i-know-about-the-xz-backdoor","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Vendor Advisory"]},{"url":"https://bugs.gentoo.org/928134","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2272210","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Vendor Advisory"]},{"url":"https://bugzilla.suse.com/show_bug.cgi?id=1222124","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://github.com/advisories/GHSA-rxwq-x6h5-x525","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://github.com/amlweems/xzbot","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://github.com/karcherm/xz-malware","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://gynvael.coldwind.pl/?lang=en&id=782","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Technical Description","Third Party Advisory"]},{"url":"https://lists.debian.org/debian-security-announce/2024/msg00057.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://lwn.net/Articles/967180/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https://news.ycombinator.com/item?id=39865810","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Third Party Advisory"]},{"url":"https://news.ycombinator.com/item?id=39877267","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking"]},{"url":"https://news.ycombinator.com/item?id=39895344","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://research.swtch.com/xz-script","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://research.swtch.com/xz-timeline","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://security-tracker.debian.org/tracker/CVE-2024-3094","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://security.alpinelinux.org/vuln/CVE-2024-3094","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://security.archlinux.org/CVE-2024-3094","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://security.netapp.com/advisory/ntap-20240402-0001/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://tukaani.org/xz-backdoor/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Vendor Advisory"]},{"url":"https://twitter.com/LetsDefendIO/status/1774804387417751958","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://twitter.com/debian/status/1774219194638409898","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Press/Media Coverage"]},{"url":"https://twitter.com/infosecb/status/1774595540233167206","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Press/Media Coverage"]},{"url":"https://twitter.com/infosecb/status/1774597228864139400","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Press/Media Coverage"]},{"url":"https://ubuntu.com/security/CVE-2024-3094","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"]},{"url":"https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://www.kali.org/blog/about-the-xz-backdoor/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://www.openwall.com/lists/oss-security/2024/03/29/4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]},{"url":"https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]},{"url":"https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://www.theregister.com/2024/03/29/malicious_backdoor_xz/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Press/Media Coverage"]},{"url":"https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://xeiaso.net/notes/2024/xz-vuln/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}