CVE-2023-7216 MEDIUM

CVE-2023-7216: Cpio: extraction allows symlinks which enables remote command execution

Vendor Red Hat
Product Red Hat Enterprise Linux 6
Weakness CWE-59
Published February 5, 2024
Last update February 25, 2026

CVSS base score

5.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks.

Key dates

02Disclosure timeline

February 5, 2024 CVE published
February 25, 2026 Record updated