CVE-2019-14866

HIGH

cpio < 2.13 - Improper Input Validation in TAR Archive Generation

Title source: llm

Description

In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.

References (4)

Core 4

Core References

Exploit, Issue Tracking, Mitigation, Patch, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866

Mailing List, Patch, Third Party Advisory x_refsource_misc

https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html

Exploit, Mailing List, Third Party Advisory x_refsource_misc

https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html

Mailing List

https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html

Scores

CVSS v3 7.3

EPSS 0.0003

EPSS Percentile 9.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (3)

gnu/cpio < 2.13

redhat/enterprise_linux 7.0

redhat/enterprise_linux 8.0

Published Jan 07, 2020

Tracked Since Feb 18, 2026