{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-39810", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T18:18:10.016Z", "dateReserved": "2023-08-07T00:00:00", "datePublished": "2023-08-28T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-28T18:13:20.931278"}, "descriptions": [{"lang": "en", "value": "An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://busybox.com"}, {"url": "https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:18:10.016Z"}, "title": "CVE Program Container", "references": [{"url": "http://busybox.com", "tags": ["x_transferred"]}, {"url": "https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:busybox:busybox:1.30.1:*:*:*:*:*:*:*", "matchCriteriaId": "8AC195D9-9524-4293-8324-599BAD0EE324", "vulnerable": true}, {"criteria": "cpe:2.3:a:busybox:busybox:1.33.2:*:*:*:*:*:*:*", "matchCriteriaId": "2E135F20-BC21-42DE-A91C-343049863AA2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal."}], "id": "CVE-2023-39810", "lastModified": "2023-09-07T13:48:46.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-28T19:15:07.893", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://busybox.com"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "busybox: CPIO command of Busybox allows attackers to execute a directory traversal", "id": "2235824", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235824"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H", "status": "draft"}, "cwe": "CWE-22", "details": ["An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.", "A flaw was found in the BusyBox tool. This issue occurs in the cpio command of BusyBox and may allow attackers to execute a directory traversal. If untrusted archives are extracted, this can result in files written outside of the destination directory or files being overwritten that contain configuration in the form of shell scripts such as ~/.bashrc or scripts that enable login from a remote side such as the ~/.ssh/authorized_keys file."], "mitigation": {"lang": "en:us", "value": "Change the default behavior to ignore relative file names with a ../ pattern within the cpio archive. To process files with a directory traversal pattern, a command line flag could be introduced, as done in GNU cpio.\nUsers can specify on the BusyBox cpio command line which file name should be unpacked, which should be safe as long as no directory traversal is included in that file name argument.\nUsers may also consider using another cpio implementation, or may ensure that archive files are trusted."}, "name": "CVE-2023-39810", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "busybox", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2023-08-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-39810\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39810\nhttps://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/"], "statement": "This issue did not affect the versions of Busybox as shipped with Red Hat Enterprise Linux 6.", "threat_severity": "Moderate"}