VDB

GCVE-110-OSM-2024-90

GCVE-110-OSM-2024-90
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 12, 2024
Brandjacking attack impersonating the legitimate XZ for Java compression library (org.tukaani:xz). Contains backdoor that listens on port 11337 for incoming connections and executes received data as arbitrary shell commands. Attacker published benign versions first to establish credibility before introducing malware in version 1.9. Follows the high-profile XZ Utils backdoor (CVE-2024-3094) discovery. Backdoor initializes server socket on port 11337, listens for incoming connections, and executes any received data as a shell script. Uses obfuscated byte arrays for strings like /bin/sh and /tmp/evil.sh to evade static code analysis. After making /tmp/evil.sh executable, the attacker can run arbitrary commands with the privileges of the Java process. Comments in malicious code suggest AI-generated assistance (e.g., "Start listening to connections on port 11337", "Obfuscate string").

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownxz-java

References

vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›