Описание
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.
A flaw was found in the BusyBox tool. This issue occurs in the cpio command of BusyBox and may allow attackers to execute a directory traversal. If untrusted archives are extracted, this can result in files written outside of the destination directory or files being overwritten that contain configuration in the form of shell scripts such as ~/.bashrc or scripts that enable login from a remote side such as the ~/.ssh/authorized_keys file.
Отчет
This issue did not affect the versions of Busybox as shipped with Red Hat Enterprise Linux 6.
Меры по смягчению последствий
Change the default behavior to ignore relative file names with a ../ pattern within the cpio archive. To process files with a directory traversal pattern, a command line flag could be introduced, as done in GNU cpio. Users can specify on the BusyBox cpio command line which file name should be unpacked, which should be safe as long as no directory traversal is included in that file name argument. Users may also consider using another cpio implementation, or may ensure that archive files are trusted.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | busybox | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.
An issue in the CPIO command of Busybox v1.33.2 allows attackers to ex ...
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.
EPSS
7.3 High
CVSS3