CVE-2019-14866: Input Validation
First published: Tue Jan 07 2020(Updated: )
GNU cpio could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly validate input files when generating TAR archives. An attacker could exploit this vulnerability to inject any tar content and compromise the system.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU cpio | <2.13 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| <=10.5 | ||
| <=10.6 | ||
| <=11.0 | ||
| <=11.1 | ||
| <=11.2 | ||
| <=11.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866
- https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html
- https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html
- https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/171509
- https://www.ibm.com/support/pages/node/6455281 (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this security issue?
The vulnerability ID of this security issue is CVE-2019-14866.
What is the severity of CVE-2019-14866?
The severity of CVE-2019-14866 is high (7.3).
Which software versions are affected by this vulnerability?
IBM Security Guardium versions up to and including 10.5, 10.6, 11.0, 11.1, 11.2, and 11.3 are affected by this vulnerability. GNU cpio up to version 2.13 and Redhat Enterprise Linux versions 7.0 and 8.0 are also affected.
What is the impact of this vulnerability?
Exploiting this vulnerability could allow a local authenticated attacker to gain elevated privileges on the system.
How can this vulnerability be fixed?
To fix this vulnerability, it is recommended to upgrade to a patched version of cpio and apply any available security updates provided by vendors like IBM and Redhat.
- collector/nvd-index
- agent/references
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/weakness
- agent/author
- agent/severity
- agent/description
- agent/softwarecombine
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/gnu
- canonical/gnu cpio
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/ibm
- canonical/ibm security guardium
- version/ibm security guardium/10.5
- version/ibm security guardium/10.6
- version/ibm security guardium/11.0
- version/ibm security guardium/11.1
- version/ibm security guardium/11.2
- version/ibm security guardium/11.3