CVE-2023-7216

Publication date 5 February 2024

Last updated 11 July 2025

Ubuntu priority

Cvss 3 Severity Score

Description

A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
cpio	26.04 LTS resolute	Vulnerable, fix deferred
	25.10 questing	Vulnerable, fix deferred
	25.04 plucky	Ignored end of life, was deferred
	24.10 oracular	Ignored end of life, was deferred
	24.04 LTS noble	Vulnerable, fix deferred
	23.10 mantic	Ignored end of life, was deferred [2024-09-09]
	22.04 LTS jammy	Vulnerable, fix deferred
	20.04 LTS focal	Vulnerable, fix deferred
	18.04 LTS bionic	Vulnerable, fix deferred
	16.04 LTS xenial	Vulnerable, fix deferred
	14.04 LTS trusty	Vulnerable, fix deferred

Notes

fabian

Upstream believes this is normal behavior. https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html

mdeslaur

deferring to see if CVE gets rejected

Severity score breakdown

CVSS version: CVSS v3.0

Base score 5.3 · Medium

Base metrics

Parameter	Value
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality impact	Low
Integrity impact	Low
Availability impact	Low

Scores

Parameter	Value
Base score	5.3 · Medium
Exploitability score	-
Impact score	-

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L