{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-01-08T00:00:00", "descriptions": [{"lang": "en", "value": "Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-30T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "1035996", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1035996"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://advisories.mageia.org/MGASA-2015-0106.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526"}, {"name": "openSUSE-SU-2015:0568", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00065.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libarchive/libarchive/pull/110"}, {"name": "FreeBSD-SA-16:22", "tags": ["vendor-advisory", "x_refsource_FREEBSD"], "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-16:22.libarchive.asc"}, {"name": "[oss-security] 20150116 CVE Request: libarchive -- directory traversal in bsdcpio", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/01/16/7"}, {"name": "DSA-3180", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3180"}, {"name": "USN-2549-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2549-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://groups.google.com/forum/#%21msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J"}, {"name": "GLSA-201701-03", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201701-03"}, {"name": "MDVSA-2015:157", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:157"}, {"name": "[oss-security] 20150108 Directory traversals in cpio and friends?", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/01/07/5"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-2304", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1035996", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035996"}, {"name": "http://advisories.mageia.org/MGASA-2015-0106.html", "refsource": "CONFIRM", "url": "http://advisories.mageia.org/MGASA-2015-0106.html"}, {"name": "https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526", "refsource": "CONFIRM", "url": "https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526"}, {"name": "openSUSE-SU-2015:0568", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00065.html"}, {"name": "https://github.com/libarchive/libarchive/pull/110", "refsource": "CONFIRM", "url": "https://github.com/libarchive/libarchive/pull/110"}, {"name": "FreeBSD-SA-16:22", "refsource": "FREEBSD", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-16:22.libarchive.asc"}, {"name": "[oss-security] 20150116 CVE Request: libarchive -- directory traversal in bsdcpio", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/01/16/7"}, {"name": "DSA-3180", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3180"}, {"name": "USN-2549-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2549-1"}, {"name": "https://groups.google.com/forum/#!msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J", "refsource": "CONFIRM", "url": "https://groups.google.com/forum/#!msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J"}, {"name": "GLSA-201701-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201701-03"}, {"name": "MDVSA-2015:157", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:157"}, {"name": "[oss-security] 20150108 Directory traversals in cpio and friends?", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/01/07/5"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:10:16.381Z"}, "title": "CVE Program Container", "references": [{"name": "1035996", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1035996"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://advisories.mageia.org/MGASA-2015-0106.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526"}, {"name": "openSUSE-SU-2015:0568", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00065.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libarchive/libarchive/pull/110"}, {"name": "FreeBSD-SA-16:22", "tags": ["vendor-advisory", "x_refsource_FREEBSD", "x_transferred"], "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-16:22.libarchive.asc"}, {"name": "[oss-security] 20150116 CVE Request: libarchive -- directory traversal in bsdcpio", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/01/16/7"}, {"name": "DSA-3180", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3180"}, {"name": "USN-2549-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2549-1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://groups.google.com/forum/#%21msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J"}, {"name": "GLSA-201701-03", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201701-03"}, {"name": "MDVSA-2015:157", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:157"}, {"name": "[oss-security] 20150108 Directory traversals in cpio and friends?", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/01/07/5"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-2304", "datePublished": "2015-03-15T19:00:00", "dateReserved": "2015-03-15T00:00:00", "dateUpdated": "2024-08-06T05:10:16.381Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libarchive:libarchive:*:*:*:*:*:x64:*:*", "matchCriteriaId": "58595970-A83C-4FD0-B505-837B653ADF31", "versionEndIncluding": "3.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*", "matchCriteriaId": "49A63F39-30BE-443F-AF10-6245587D3359", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive."}, {"lang": "es", "value": "Vulnerabilidad de recorrido de directorio absoluto en bsdcpio en libarchive 3.1.2 y anteriores permite a atacantes remotos escribir archivos arbitrarios a trav\u00e9s de un nombre completo de ruta en un archivo."}], "id": "CVE-2015-2304", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-03-15T19:59:00.070", "references": [{"source": "cve@mitre.org", "url": "http://advisories.mageia.org/MGASA-2015-0106.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00065.html"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2015/dsa-3180"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:157"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.openwall.com/lists/oss-security/2015/01/07/5"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2015/01/16/7"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1035996"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-2549-1"}, {"source": "cve@mitre.org", "url": "https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526"}, {"source": "cve@mitre.org", "url": "https://github.com/libarchive/libarchive/pull/110"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201701-03"}, {"source": "cve@mitre.org", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-16:22.libarchive.asc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://advisories.mageia.org/MGASA-2015-0106.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00065.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2015/dsa-3180"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:157"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.openwall.com/lists/oss-security/2015/01/07/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/01/16/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1035996"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2549-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/libarchive/libarchive/pull/110"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/#%21msg/libarchive-discuss/dN9y1VvE1Qk/Z9uerigjQn0J"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201701-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-16:22.libarchive.asc"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "libarchive: directory traversal in bsdcpio", "id": "1192482", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192482"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:L/AC:H/Au:N/C:P/I:P/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive."], "name": "CVE-2015-2304", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "libarchive", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "libarchive", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2015-01-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-2304\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-2304"], "statement": "Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low"}