CVE-2023-7207

Description

Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

Debian / Debian cpio0 – 2.14+dfsg-1

References

MISChttps://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376d663340a9dc91c91a5849e5713f07571c1628
VENDOR_ADVISORYhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163
MAILING_LISThttps://www.openwall.com/lists/oss-security/2023/12/21/8
CONFIRMhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7207
MAILING_LISThttp://www.openwall.com/lists/oss-security/2024/01/05/1