CVE-2023-7216

A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks.
References
Link Resource
https://access.redhat.com/security/cve/CVE-2023-7216 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2249901 Exploit Issue Tracking Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:cpio:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

History

13 May 2024, 23:15

Type Values Removed Values Added
Summary (en) A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, this allows writing files in arbitrary directories through symlinks. (en) A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks.

12 Mar 2024, 17:38

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8
v2 : unknown
v3 : 5.3

11 Mar 2024, 11:15

Type Values Removed Values Added
Summary (en) A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which could be utilized to run arbitrary commands on the target system. (en) A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, this allows writing files in arbitrary directories through symlinks.

19 Feb 2024, 12:15

Type Values Removed Values Added
CWE CWE-59

13 Feb 2024, 00:37

Type Values Removed Values Added
First Time Redhat
Redhat enterprise Linux
Gnu
Gnu cpio
CPE cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:a:gnu:cpio:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
CWE CWE-22
References () https://bugzilla.redhat.com/show_bug.cgi?id=2249901 - () https://bugzilla.redhat.com/show_bug.cgi?id=2249901 - Exploit, Issue Tracking, Third Party Advisory
References () https://access.redhat.com/security/cve/CVE-2023-7216 - () https://access.redhat.com/security/cve/CVE-2023-7216 - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8

05 Feb 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-05 15:15

Updated : 2024-09-19 06:15


NVD link : CVE-2023-7216

Mitre link : CVE-2023-7216

CVE.ORG link : CVE-2023-7216


JSON object : View

Products Affected

gnu

  • cpio

redhat

  • enterprise_linux
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-59

Improper Link Resolution Before File Access ('Link Following')