Path Traversal Vulnerability in Debian's Cpio Utility
CVE-2023-7207

4.9MEDIUM

Key Information:

Vendor

Debian
Status
Debian Cpio
Vendor
CVE Published:
29 February 2024

What is CVE-2023-7207?

Debian's cpio utility presents a path traversal vulnerability due to a reversion of previous patches related to the handling of absolute filenames. This flaw can allow attackers to manipulate file paths, potentially leading to unauthorized file access. An upstream fix has been released to address this issue, reinstating the necessary safeguards and ensuring cpio operates securely.

Affected Version(s)

Debian cpio Linux 0 < 2.14+dfsg-1

References

https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376...
patch
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163
issue-tracking
https://www.openwall.com/lists/oss-security/2023/12/21/8
mailing-list

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ingo BrĂĽckl
.