ID CVE-2015-1197
Summary cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive. <a href="http://cwe.mitre.org/data/definitions/61.html">CWE-61: UNIX Symbolic Link (Symlink) Following</a>
References
Vulnerable Configurations
  • cpe:2.3:a:gnu:cpio:2.11:*:*:*:*:*:*:*
    cpe:2.3:a:gnu:cpio:2.11:*:*:*:*:*:*:*
CVSS
Base: 1.9 (as of 06-12-2016 - 02:59)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:L/AC:M/Au:N/C:N/I:P/A:N
refmap via4
bid 71914
confirm http://advisories.mageia.org/MGASA-2015-0080.html
mandriva MDVSA-2015:066
misc https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669
mlist
  • [Bug-cpio] 20150108 cpio: directory traversal vulnerability via symlinks
  • [oss-security] 20150108 Directory traversals in cpio and friends?
  • [oss-security] 20150118 Re: CVE Request: cpio -- directory traversal
ubuntu USN-2906-1
Last major update 06-12-2016 - 02:59
Published 19-02-2015 - 15:59
Back to Top