Improper input validation in Gnu Cpio
CVE-2019-14866
In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions…
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
EPSS: 0.007 (47.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.
Affected products
- Gnu Cpio
- Red Hat Cpio — versions All cpio versions before 2.13
- Redhat Enterprise_linux — versions 7.0, 8.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- secalert@redhat.com (x_refsource_CONFIRM, Exploit, Patch, Third Party Advisory, Mitigation, Issue Tracking)
- secalert@redhat.com (Patch, Mailing List, Third Party Advisory, x_refsource_MISC)
- secalert@redhat.com (Exploit, Mailing List, Third Party Advisory, x_refsource_MISC)
- secalert@redhat.com
Frequently asked questions
- What is CVE-2019-14866?
- CVE-2019-14866 is a high-severity vulnerability in Gnu Cpio, classified under Improper Input Validation. CVSS score: 7.3/10. Published 2020-01-07.
- How severe is CVE-2019-14866?
- High severity. CVSS v3 base score is 7.3 out of 10.
- Is CVE-2019-14866 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.