Show filters
4 Total Results
Displaying 1-4 of 4
Sort by:
Attacker Value
Very High
CVE-2022-41352
Disclosure Date: September 26, 2022 (last updated February 01, 2024)
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
3
Attacker Value
Unknown
CVE-2023-7207
Disclosure Date: February 29, 2024 (last updated February 29, 2024)
Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames.
0
Attacker Value
Unknown
CVE-2017-7516
Disclosure Date: January 29, 2018 (last updated November 08, 2023)
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-1197. Reason: This candidate is a duplicate of CVE-2015-1197. Notes: All CVE users should reference CVE-2015-1197 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
0
Attacker Value
Unknown
CVE-2015-1197
Disclosure Date: February 19, 2015 (last updated December 22, 2023)
cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.
0