CVE-2019-14866 Information

Description

In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866 https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.3