Bug 2249901 (CVE-2023-7216) - CVE-2023-7216 CPIO: extraction allows symlinks which enables Remote Command Execution [NEEDINFO]
Summary: CVE-2023-7216 CPIO: extraction allows symlinks which enables Remote Command E...
Status: NEW
Alias: CVE-2023-7216
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
: 2255243 (view as bug list)
Depends On: 2280700
Blocks: 2249902 2255242
TreeView+ depends on / blocked
Reported: 2023-11-15 20:50 UTC by Nick Tait
Modified: 2024-05-15 19:33 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks.
Clone Of:
Last Closed:
ntait: needinfo? (mrehak)

Attachments (Terms of Use)

Description Nick Tait 2023-11-15 20:50:58 UTC

CPIO  found to be vulnerable to Path Traversal vulnerability that can be
leveraged to achieve full Remote Command Execution on the target.


While handling CPIO archives, the CPIO follows symlink, cpio by default
will follow stored symlinks while extracting and the Archiver will not
check the symlink location, which leads to arbitrary file writes to
unintended locations. When the victim extracts the archive, the attacker
can craft a malicious cpio archive to achieve RCE on the target system.

PoC ( Steps to reproduce ) :
Complete instructions to craft a cpio archive to demonstrate the

mkdir testcpio
 ln -sf /tmp/ testcpio/tmp
 echo "TEST Traversal" > testcpio/tmpYtrav.txt
 cd testcpio/
 ls | cpio -ov > ../trav.cpio
 cd ../
 sed -i s/"tmpY"/"tmp\/"/g trav.cpio


Extract the malicious archive: cpio -i < trav.cpio

An attacker can craft malicious cpio archives that exploit the
vulnerability to write files on locations such as ~/.ssh, ~/.bashrc,
~/.config/autostart/ etc., to achieve full remote command execution on the
target/victim system. Software that uses CPIO as a component might be

Credit: Febin Mon Saji

Comment 2 Sandipan Roy 2023-11-20 06:33:14 UTC
This attack requires to social engineer the user to open the cpio archive, impact of this is moderate.

Comment 4 Marian Rehak 2024-02-05 15:16:35 UTC
*** Bug 2255243 has been marked as a duplicate of this bug. ***

Comment 5 Samuel Henrique <samueloph> 2024-02-09 16:13:36 UTC
Looks very similar to CVE-2015-1197 - https://bugzilla.redhat.com/show_bug.cgi?id=1179773

Comment 6 Salvatore Bonaccorso 2024-02-26 15:05:47 UTC
There is a question in upstream list about this CVE in https://lists.gnu.org/archive/html/bug- cpio/2024-02/msg00000.html

Comment 7 Nick Tait 2024-02-27 18:42:30 UTC
Marian, can you help with this question? Corrected link is https://lists.gnu.org/archive/html/bug-cpio/2024-02/msg00000.html

Comment 8 peng 2024-03-04 09:10:12 UTC
CVE-2023-7216  has been rejected by the upstream community , cpio maintainer don't think it's a bug.
Is the Red Hat community considering marking CVE-2023-7216 as rejected on NVD?

Comment 10 Michal Schorm 2024-05-13 16:24:57 UTC
I see no difference between this CVE-2023-7216 and the CVE-2015-1197.
Both CVEs are about the same thing: escaping the directory tree the archive is extracted in.
The way the reproducer is constructed is a bit different but from what I can tell it results in the same principle.

I've made an extensive summary of the CVE-2015-1197 here: https://bugzilla.redhat.com/show_bug.cgi?id=1179773#c8

I don't understand why this CVE is rated 'moderate' (was even 'high' for a while), while the CVE-2015-1197 is rated 'low'.

After 8 years, the upstream created a fix for the cpio '--no-absolute-filenames' option, so it now prevents the attack.
Other than that the upstream rejected this CVE, stating to use the fixed '--no-absolute-filenames' option, which entirely prevents it.

As I've pointed out in the CVE-2015-1197, we haven't fixed even that in RHEL 7, 8, 9.
And it doesn't seem to be a problem, at least as far as I can tell.

I believe these two CVEs are the exact same, only revived few years later.
As it wasn't a problem with the CVE-2015-1197, I strongly suggest to use the same resolution.
Which is:
- lower the CVE severity to 'low'
- close as 'WON'T FIX'

The RHEL 10 will likely be the first RHEL distribution containing the fix.

Comment 13 Nick Tait 2024-05-15 19:31:18 UTC
Created cpio tracking bugs for this issue:

Affects: fedora-all [bug 2280700]

Note You need to log in before you can comment on or make changes to this bug.