CVE-2023-7216

Summary

A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-59: Improper Link Resolution Before File Access ('Link Following')

Workarounds

Use the –no-absolute-filenames option to avoid this behaviour.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References