PT-2019-4757 · Gnu+8 · Cpio+8

Thomas Habets

·

Published

2019-08-30

·

Updated

2025-08-25

·

CVE-2019-14866

CVSS v3.1

7.3

High

VectorAV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions cpio versions prior to 2.13
Description The issue is related to the improper validation of input files when generating TAR archives. This can lead to the creation of archives containing files with permissions or in paths that the attacker did not have access to. If a high-privilege user extracts such archives without careful review, it may compromise the system. The vulnerability is also associated with errors in checking the TAR file header, which can allow an attacker to elevate their privileges.
Recommendations For versions prior to 2.13, update to version 2.13 or later to resolve the issue. As a temporary workaround, consider carefully reviewing TAR archives created from paths that an attacker can write to, before extracting them, especially when done by a high-privilege user. Restrict access to the archive creation process to minimize the risk of exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2021-3526
ALT-PU-2025-5537
ALT-PU-2025-5539
BDU:2020-01329
CESA-2020_3908
CESA-2021_1582
CVE-2019-14866
DLA-1981-1
DLA-3445-1
ELSA-2020-3908
ELSA-2021-1582
MGASA-2019-0326
OPENSUSE-SU-2019:2593-1
OPENSUSE-SU-2019:2596-1
OPENSUSE-SU-2019_2593-1
OPENSUSE-SU-2019_2596-1
OPENSUSE-SU-2024:10697-1
RHSA-2020:3908
RHSA-2020_3908
RHSA-2021:1582
RHSA-2021_1582
RHSA-2022:0073
RLSA-2021:1582
RLSA-2021_1582
SUSE-SU-2019:3059-1
SUSE-SU-2019:3064-1
SUSE-SU-2019_3059-1
SUSE-SU-2019_3064-1
USN-4176-1

Affected Products

Alt Linux
Astra Linux
Centos
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Cpio