Vulnerability Description
In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Cpio | < 2.13 |
| Redhat | Enterprise Linux | 7.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866ExploitIssue TrackingMitigation
- https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html
- https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.htmlMailing ListPatchThird Party Advisory
- https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.htmlExploitMailing ListThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866ExploitIssue TrackingMitigation
- https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html
- https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.htmlMailing ListPatchThird Party Advisory
- https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.htmlExploitMailing ListThird Party Advisory
FAQ
What is CVE-2019-14866?
CVE-2019-14866 is a vulnerability with a CVSS score of 7.3 (HIGH). In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting arc...
How severe is CVE-2019-14866?
CVE-2019-14866 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-14866?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Cpio, Redhat Enterprise Linux.