Описание
[REJECTED CVE] A vulnerability was identified in the GNU cpio package where the --no-absolute-filenames option, intended to restrict extraction to the current directory, can be bypassed using crafted symlinks. During extraction, cpio will first create the symlink and then follow it for subsequent entries, allowing a malicious archive to write files outside the intended directory (e.g., /tmp/file). An attacker could exploit this by tricking a user, into extracting such an archive, potentially leading to arbitrary file creation, privilege escalation, or data corruption.
Отчет
This flaw was found to be a duplicate of CVE-2015-1197. Please see https://access.redhat.com/security/cve/CVE-2015-1197 for information about affected products and security errata.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | cpio | Not affected | ||
| Red Hat Enterprise Linux 6 | cpio | Not affected | ||
| Red Hat Enterprise Linux 7 | cpio | Not affected | ||
| Red Hat Enterprise Linux 8 | cpio | Not affected |
Показывать по
Дополнительная информация
Статус:
4.4 Medium
CVSS3
Связанные уязвимости
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-1197. Reason: This candidate is a duplicate of CVE-2015-1197. Notes: All CVE users should reference CVE-2015-1197 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-1197. Reason: This candidate is a duplicate of CVE-2015-1197. Notes: All CVE users should reference CVE-2015-1197 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
4.4 Medium
CVSS3