Alpine: multiple cpio packages: security update to 2.13-r0

high Tenable Cloud Security Plugin ID 403914

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files
via a symlink attack on a file in an archive. (CVE-2015-1197)

- In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.
When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may
contain files with permissions the attacker did not have or in paths he did not have access to. Extracting
those archives from a high-privilege user without carefully reviewing them may lead to the compromise of
the system. (CVE-2019-14866)

See Also

https://security.alpinelinux.org/vuln/CVE-2015-1197

https://security.alpinelinux.org/vuln/CVE-2019-14866

Plugin Details

Severity: High

ID: 403914

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.4

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-14866

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.6

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/5/2015

Reference Information

CVE: CVE-2015-1197, CVE-2019-14866

BID: 71914