CVE-2019-14866
cpio: improper input validation when writing tar header fields leads to unexpected tar generation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
En todas las versiones de cpio anteriores a la versión 2.13, no comprueba apropiadamente los archivos de entrada cuando se generan archivos TAR. Cuando cpio es usado para crear archivos TAR desde rutas en las que un atacante puede escribir, el archivo resultante puede contener archivos con permisos que el atacante no tenía o en rutas a las que no tenía acceso. Al extraer esos archivos desde un usuario con altos privilegios sin revisarlos cuidadosamente puede conllevar al compromiso del sistema.
It was discovered cpio does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-10 CVE Reserved
- 2019-11-07 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (6)
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866 | 2024-08-05 | |
https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html | 2024-08-05 |
URL | Date | SRC |
---|---|---|
https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html | 2023-06-04 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2019-14866 | 2022-01-11 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1765511 | 2022-01-11 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Gnu Search vendor "Gnu" | Cpio Search vendor "Gnu" for product "Cpio" | < 2.13 Search vendor "Gnu" for product "Cpio" and version " < 2.13" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
|