Login Sign Up

CVE-2023-39810

7.8 HIGH

📋 TL;DR

A directory traversal vulnerability in BusyBox's cpio command allows attackers to write files outside the intended extraction directory. This affects systems using BusyBox v1.33.2 with cpio functionality, particularly embedded devices, routers, and containers. Attackers can potentially overwrite critical system files or plant malicious executables.

💻 Affected Systems

Products:
  • BusyBox
Versions: v1.33.2 (specifically this version)
Operating Systems: Linux, Embedded systems using BusyBox
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when cpio command is used to extract archives. Many BusyBox installations include cpio by default.

📦 What is this software?

Busybox by Busybox

View all CVEs affecting Busybox →

Busybox by Busybox

View all CVEs affecting Busybox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via overwriting critical files like /etc/passwd, /etc/shadow, or planting backdoors in system binaries.

🟠

Likely Case

Local privilege escalation, denial of service by corrupting system files, or persistence mechanisms via malicious scripts.

🟢

If Mitigated

Limited impact if cpio is not used with untrusted archives, or if filesystem permissions restrict write access to sensitive locations.

🌐 Internet-Facing: MEDIUM - Risk exists if cpio processes archives from untrusted sources (e.g., web uploads), but requires specific cpio usage patterns.
🏢 Internal Only: MEDIUM - Internal users with cpio access could exploit for privilege escalation or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access or ability to supply malicious cpio archives. Public proof-of-concept demonstrates directory traversal.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BusyBox v1.33.3 and later

Vendor Advisory: http://busybox.com

Restart Required: No

Instructions:

1. Download latest BusyBox from http://busybox.net/downloads. 2. Replace existing busybox binary. 3. Verify with 'busybox --version'.

🔧 Temporary Workarounds

Disable cpio applet

linux

Remove cpio functionality from BusyBox build

make menuconfig
Navigate to Archival Utilities -> cpio and disable

Restrict cpio usage

linux

Use filesystem permissions to limit who can execute cpio

chmod 750 /bin/busybox
setfacl -m u:root:rx /bin/busybox

🧯 If You Can't Patch

  • Monitor and audit cpio usage patterns for suspicious archive extraction
  • Implement strict input validation for any cpio archive sources

🔍 How to Verify

Check if Vulnerable:

Check BusyBox version: 'busybox --version | grep 1.33.2'

Check Version:

busybox --version

Verify Fix Applied:

Verify version is 1.33.3 or higher: 'busybox --version | grep -v 1.33.2'

📡 Detection & Monitoring

Log Indicators:

  • cpio extraction logs with suspicious file paths containing '..'
  • Failed file writes outside expected directories

Network Indicators:

  • Unusual archive downloads followed by cpio execution

SIEM Query:

process.name='busybox' AND cmdline CONTAINS 'cpio' AND cmdline CONTAINS '..'

📊 Metadata

CVE ID: CVE-2023-39810
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: August 28, 2023
Last Updated: April 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39810, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)