{
  "threat_severity" : "Low",
  "public_date" : "2022-01-31T00:00:00Z",
  "bugzilla" : {
    "description" : "unzip: SIGSEGV during the conversion of an utf-8 string to a local string",
    "id" : "2051395",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2051395"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-119",
  "details" : [ "A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.", "A flaw was found in Unzip. The vulnerability occurs during the conversion of a UTF-8 string to a local string that leads to a segmentation fault. This flaw allows an attacker to input a specially crafted zip file, leading to a crash." ],
  "statement" : "This issue is classified with a low severity primarily because untrusted zip files are not typically extracted with the root user, limiting the impact of this issue. Additionally, this segmentation fault is caused by a NULL pointer dereference and is only triggered during the parsing of a specially crafted file, requiring an attacker to convince a user to process this file with unzip. Furthermore, unzip does not handle privileged operations, meaning that exploitation is unlikely to lead to system compromise or escalation of privileges. Also, the impact is limited to the application itself, without affecting the broader system or network security.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "unzip",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "unzip",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "unzip",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "unzip",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-0530\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-0530" ],
  "name" : "CVE-2022-0530",
  "csaw" : false
}