Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
Sergey Poznyakoff reports:
This stable release fixes several potential vulnerabilities
CVE-2015-1197: cpio, when using the --no-absolute-filenames
option, allows local users to write to arbitrary files
via a symlink attack on a file in an archive.
CVE-2016-2037: The cpio_safer_name_suffix function in
util.c allows remote attackers to cause a denial of service
(out-of-bounds write) via a crafted cpio file.
CVE-2019-14866: Improper input validation when writing
tar header fields leads to unexpected tar generation.