CVE-2022-1271 in gzip
Summary
by MITRE • 08/31/2022
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/21/2025
The vulnerability identified as CVE-2022-1271 represents a critical arbitrary file write flaw within GNU gzip's zgrep utility, a widely used command-line tool for searching compressed files. This security weakness stems from inadequate input validation mechanisms that fail to properly sanitize filename arguments, particularly when processing filenames containing multiple newline characters. The flaw exists in the zgrep utility's handling of multi-line file names where both content and target file paths can be embedded within a single crafted input, creating a dangerous condition that allows unauthorized file system modifications. The vulnerability specifically impacts systems where GNU gzip is installed and zgrep is executed with user-provided input, making it particularly concerning in environments where untrusted data processing occurs.
The technical exploitation of this vulnerability occurs through careful crafting of input filenames that contain embedded newlines, which causes zgrep to interpret the multi-line content as both source data and destination file paths. When zgrep processes such malformed inputs, it fails to properly validate the intended target file names, allowing an attacker to specify arbitrary file paths for writing operations. This behavior violates fundamental security principles of input sanitization and path validation, creating a privilege escalation vector that can be leveraged by low-privileged attackers. The flaw operates at the core of file system access controls and demonstrates how seemingly benign utility functions can become dangerous when proper input validation is absent.
From an operational impact perspective, this vulnerability enables remote attackers to execute arbitrary file write operations on affected systems, potentially leading to complete system compromise. The low privilege requirement means that attackers do not need elevated system permissions to exploit this flaw, making it particularly dangerous in multi-user environments or applications where zgrep is used with untrusted input. Attackers could leverage this vulnerability to overwrite critical system files, inject malicious code into executables, or establish persistent backdoors by modifying configuration files or system binaries. The attack surface extends to any application or service that relies on zgrep for processing compressed data or implements similar filename handling mechanisms.
Security mitigations for CVE-2022-1271 should focus on immediate patching of GNU gzip installations to the latest versions that contain fixes for this vulnerability. System administrators should implement input validation controls at the application level to prevent multi-line file names from being processed by zgrep or similar utilities. Network segmentation and privilege separation should be enforced to limit the potential impact of successful exploitation attempts. Monitoring and logging of zgrep usage should be implemented to detect anomalous file write operations that may indicate exploitation attempts. This vulnerability aligns with CWE-22, which addresses improper limitation of a pathname to a restricted directory, and maps to ATT&CK technique T1059.007 for command and scripting interpreter usage, demonstrating how file system manipulation can enable further attack vectors within compromised environments. Organizations should also consider implementing automated vulnerability scanning to identify systems running vulnerable versions of GNU gzip and ensure comprehensive remediation across all affected platforms.