mend-for-github-com[bot]
commented
8 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
GNU cpio
Library home page: https://git.savannah.gnu.org/cgit/cpio.git
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-38185
### Vulnerable Libraries - cpiorelease_2_12, cpiorelease_2_12, cpiorelease_2_12, cpiorelease_2_12, cpiorelease_2_12, cpiorelease_2_12
### Vulnerability DetailsGNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.
Publish Date: 2021-08-08
URL: CVE-2021-38185
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-38185
Release Date: 2021-08-08
Fix Resolution: cpio - 2.13+dfsg-5
CVE-2019-14866
### Vulnerable Library - cpiorelease_2_12GNU cpio
Library home page: https://git.savannah.gnu.org/cgit/cpio.git
Found in base branch: main
### Vulnerable Source Files (1)
/vendor/cpio-2.12/src/copyout.c
### Vulnerability DetailsIn all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
Publish Date: 2020-01-07
URL: CVE-2019-14866
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14866
Release Date: 2020-01-10
Fix Resolution: release_2_13
CVE-2023-7207
### Vulnerable Library - cpiorelease_2_12GNU cpio
Library home page: https://git.savannah.gnu.org/cgit/cpio.git
Found in base branch: main
### Vulnerable Source Files (1)
/vendor/cpio-2.12/src/copyin.c
### Vulnerability DetailsDebian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames.
Publish Date: 2024-02-29
URL: CVE-2023-7207
### CVSS 3 Score Details (4.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163
Release Date: 2024-02-29
Fix Resolution: v2.14