CVE-2019-14866: Input Validation

Published Jan 7, 2020
·
Updated

GNU cpio could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly validate input files when generating TAR archives. An attacker could exploit this vulnerability to inject any tar content and compromise the system.

Other sources

In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.

Affected Software

9 affected components
IBM Security Guardium<=10.5
IBM Security Guardium<=10.6
IBM Security Guardium<=11.0
IBM Security Guardium<=11.1
IBM Security Guardium<=11.2
IBM Security Guardium<=11.3
GNU cpio<2.13
redhat Enterprise Linux=7.0
redhat Enterprise Linux=8.0

Remediation

Patch Available

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866

Patch Available

https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html

Event History

Jan 7, 2020
CVE Published
via MITRE·04:53 PM
Data Sourced
via MITRE·04:53 PM
DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID of this security issue?

The vulnerability ID of this security issue is CVE-2019-14866.

2

What is the severity of CVE-2019-14866?

The severity of CVE-2019-14866 is high (7.3).

3

Which software versions are affected by this vulnerability?

IBM Security Guardium versions up to and including 10.5, 10.6, 11.0, 11.1, 11.2, and 11.3 are affected by this vulnerability. GNU cpio up to version 2.13 and Redhat Enterprise Linux versions 7.0 and 8.0 are also affected.

4

What is the impact of this vulnerability?

Exploiting this vulnerability could allow a local authenticated attacker to gain elevated privileges on the system.

5

How can this vulnerability be fixed?

To fix this vulnerability, it is recommended to upgrade to a patched version of cpio and apply any available security updates provided by vendors like IBM and Redhat.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203