Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2023-7207

HistoryFeb 29, 2024 - 1:42 a.m.

CVE-2023-7207

2024-02-2901:42:59

Debian Security Bug Tracker

security-tracker.debian.org

debian

cpio

path traversal

vulnerability

cve-2023-7207

regression

fix

unix

upstream

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

Low

3.3 Low

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

MULTIPLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:M/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

14.1%

JSON

Debian’s cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames.

OSVersionArchitecturePackageVersionFilename
Debian12allcpio<= 2.13+dfsg-7.1cpio_2.13+dfsg-7.1_all.deb
Debian11allcpio<= 2.13+dfsg-7.1~deb11u1cpio_2.13+dfsg-7.1~deb11u1_all.deb
Debian10allcpio< 2.12+dfsg-9cpio_2.12+dfsg-9_all.deb
Debian999allcpio< 2.14+dfsg-1cpio_2.14+dfsg-1_all.deb
Debian13allcpio< 2.14+dfsg-1cpio_2.14+dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	cpio	<= 2.13+dfsg-7.1	cpio_2.13+dfsg-7.1_all.deb
Debian	11	all	cpio	<= 2.13+dfsg-7.1~deb11u1	cpio_2.13+dfsg-7.1~deb11u1_all.deb
Debian	10	all	cpio	< 2.12+dfsg-9	cpio_2.12+dfsg-9_all.deb
Debian	999	all	cpio	< 2.14+dfsg-1	cpio_2.14+dfsg-1_all.deb
Debian	13	all	cpio	< 2.14+dfsg-1	cpio_2.14+dfsg-1_all.deb