CVE-2019-14866 — Improper Input Validation in Cpio

CWE-20 — Improper Input Validation9 documents8 sources

Severity

7.3HIGHNVD

EPSS

0.0%

top 90.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Cpio RED HAT Cpio Redhat Enterprise Linux

Timeline

PublishedJan 7

Latest updateMay 24

Description

In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages3 packages

▶NVDgnu/cpio< 2.13

▶Debiangnu/cpio< 2.13+dfsg-1+3

▶CVEListV5red_hat/cpioAll cpio versions before 2.13

Also affects: Enterprise Linux 7.0, 8.0

Patches

Patch: bugzilla.redhat.com ↗Patch: lists.gnu.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-g3pr-277r-xcx7: In all versions of cpio before 2↗2022-05-24

▶

CVEList

CVE-2019-14866: In all versions of cpio before 2↗2020-01-07

▶

OSV

CVE-2019-14866: In all versions of cpio before 2↗2020-01-07

▶

📋Vendor Advisories

Ubuntu

GNU cpio vulnerability↗2019-11-06

▶

Red Hat

cpio: improper input validation when writing tar header fields leads to unexpected tar generation↗2019-08-30

▶

Debian

CVE-2019-14866: cpio - In all versions of cpio before 2.13 does not properly validate input files when ...↗2019

▶

💬Community

Bugzilla

CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpect tar generation [fedora-all]↗2019-10-28

▶

Bugzilla

CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation↗2019-10-25

▶