CVE-2015-1197
Zimbra Collaboration Suite TAR Path Traversal
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
4Exploited in Wild
-Decision
Descriptions
cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.
cpio 2.11, cuando utiliza la opción --no-absolute-filenames, permite a usuarios locales escribir ficheros arbitrarios a través de un ataque de enlace simbólico sobre un fichero en un archivo.
Alexander Cherepanov discovered that GNU cpio incorrectly handled symbolic links when used with the --no-absolute-filenames option. If a user or automated system were tricked into extracting a specially-crafted cpio archive, a remote attacker could possibly use this issue to write arbitrary files. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Gustavo Grieco discovered that GNU cpio incorrectly handled memory when extracting archive files. If a user or automated system were tricked into extracting a specially-crafted cpio archive, a remote attacker could use this issue to cause GNU cpio to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-01-18 CVE Reserved
- 2015-02-16 CVE Published
- 2022-10-20 First Exploit
- 2024-08-06 CVE Updated
- 2025-03-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
CAPEC
References (12)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/169458 | 2022-10-20 | |
| http://www.openwall.com/lists/oss-security/2015/01/07/5 | 2024-08-06 | |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669 | 2024-08-06 | |
| https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html | 2024-08-06 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.mandriva.com/security/advisories?name=MDVSA-2015:066 | 2023-12-27 | |
| http://www.ubuntu.com/usn/USN-2906-1 | 2023-12-27 |