CVE-2022-4976

| EUVD-2022-55186 CRITICAL
2025-06-12 9b29abf9-4ab0-4765-b253-1875cd9b441e
Information Disclosure
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 21:20 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:20 euvd
EUVD-2022-55186
CVE Published
Jun 12, 2025 - 01:15 nvd
CRITICAL 9.8

DescriptionNVD

Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities.

The bundled library is affected by CVE-2014-8139, CVE-2014-8140 and CVE-2014-8141.

AnalysisAI

Archive::Unzip::Burst, a Perl module for ZIP file extraction (versions 0.01-0.09), bundles a vulnerable version of the InfoZip library affected by three critical memory corruption vulnerabilities (CVE-2014-8139, CVE-2014-8140, CVE-2014-8141). An unauthenticated remote attacker can exploit these vulnerabilities by crafting a malicious ZIP file to achieve arbitrary code execution with a CVSS score of 9.8, representing critical severity. The vulnerability requires no user interaction or special privileges and can be exploited over the network.

Technical ContextAI

Archive::Unzip::Burst is a Perl module that bundles the InfoZip library (unzip utility) to provide ZIP file extraction functionality. The vulnerable InfoZip library versions contain memory corruption flaws: CVE-2014-8139 involves a buffer overflow in the CRC32 processing, CVE-2014-8140 affects out-of-bounds heap writes during decompression, and CVE-2014-8141 involves a zip bomb vulnerability with insufficient validation of compressed versus uncompressed sizes. These are not application-level vulnerabilities but rather inherited flaws from the C-based InfoZip library. The CPE for affected software is likely: cpe:2.3:a:perl:archive-unzip-burst:*:*:*:*:*:*:*:* (versions 0.01 through 0.09). The root cause is inadequate input validation and unsafe memory operations in the InfoZip decompression routines.

RemediationAI

  • action: Upgrade Archive::Unzip::Burst; details: Upgrade to version 0.10 or later (the first version after 0.09 should incorporate patched InfoZip). Check CPAN (https://metacpan.org/pod/Archive::Unzip::Burst) for the latest available version and release notes confirming InfoZip library updates.
  • action: Validate CPAN module updates; details: Review the changelog for Archive::Unzip::Burst to confirm that bundled InfoZip library was updated to address CVE-2014-8139, CVE-2014-8140, and CVE-2014-8141.
  • action: Input validation workaround; details: Until patching is possible, implement strict validation on ZIP files before processing: validate file signatures, enforce maximum decompressed size limits, reject files with suspicious compression ratios (zip bombs), and process archives in isolated environments.
  • action: Consider alternative libraries; details: If timely patching is unavailable, evaluate alternative Perl ZIP libraries such as Archive::Zip (pure Perl) or other actively maintained modules that do not bundle vulnerable C libraries.
  • action: Vendor advisory check; details: Contact the Archive::Unzip::Burst maintainer via CPAN or GitHub for formal advisory; confirm patch availability and timeline if versions >0.09 exist.

Share

CVE-2022-4976 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy