CVE-2019-14866
Public on 2020-01-07
Modified on 2020-10-22
Description
It was discovered cpio does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | cpio | 2020-10-22 | ALAS2-2020-1505 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.7 | CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
| NVD | CVSSv2 | 6.9 | AV:L/AC:M/Au:N/C:C/I:C/A:C |
| NVD | CVSSv3 | 7.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |