CVE-2022-1271, also tracked in the Black Duck KnowledgeBase™ as BDSA-2022-0958, is a bug in gzip, a file format and software application used for archiving, compressing, and decompressing files. Although a vulnerability in gzip has the potential to be cataclysmic, this vulnerability is actually in zgrep, a command used for searching through a gzip archive for a string.
Using filenames with newline characters can confuse zgrep, which can enable an attacker to overwrite arbitrary files. When GNU sed is also installed, the attacker can gain the ability to perform code execution. Most applications won’t have gzip bundled in this way, but they might make a runtime call to a command line to invoke zgrep. In such a case, if the application uses unsanitized user input for the filename, the vulnerability could be exposed.
Container images used for cloud deployments will almost certainly have gzip. However, if you are not using the zgrep command, you won’t be affected by this vulnerability.