CVE-2023-39810

2023-08-2921:25:55

redhat.com

access.redhat.com

busybox

cpio command

directory traversal

unauthorized file overwriting

shell scripts

mitigation

gnu cpio

file name argument

archive files

trusted

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

23.0%

JSON

A flaw was found in the BusyBox tool. This issue occurs in the cpio command of BusyBox and may allow attackers to execute a directory traversal. If untrusted archives are extracted, this can result in files written outside of the destination directory or files being overwritten that contain configuration in the form of shell scripts such as ~/.bashrc or scripts that enable login from a remote side such as the ~/.ssh/authorized_keys file.

Mitigation

Change the default behavior to ignore relative file names with a …/ pattern within the cpio archive. To process files with a directory traversal pattern, a command line flag could be introduced, as done in GNU cpio.

Users can specify on the BusyBox cpio command line which file name should be unpacked, which should be safe as long as no directory traversal is included in that file name argument.

Users may also consider using another cpio implementation, or may ensure that archive files are trusted.