Cyber Resilience

CVE-2023-7216

MediumPublic PoC

Published: 05 February 2024

Published
05 February 2024
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0028 51.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-7216 is a medium-severity Link Following (CWE-59) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 48.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the…

more

intended directory, which allows files to be written in arbitrary directories through symlinks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1546.004 Unix Shell Configuration Modification Privilege Escalation
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.
T1098.004 SSH Authorized Keys Persistence
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host.
T1547.013 XDG Autostart Entries Persistence
Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login.
T1566.001 Spearphishing Attachment Initial Access
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
Why these techniques?

Path traversal via symlink following in CPIO extraction enables arbitrary file writes when a user is tricked into processing a crafted archive (T1566.001, T1204.002), exploiting the client utility for execution (T1203), and persistence through Unix shell config mods (.bashrc; T1546.004), SSH authorized keys (~/.ssh; T1098.004), and XDG autostart (~/.config/autostart/; T1547.013).

Affected Assets

gnu
cpio
all versions
redhat
enterprise linux
7.0, 8.0, 9.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References