Unbounded memory consumption when reading headers in archive/tar
CVE-2022-2879

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Archive/tar
Vendor: CVE Published:; 14 October 2022

What is CVE-2022-2879?

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

Affected Version(s)

archive/tar 0 < 1.18.7

archive/tar 1.19.0-0 < 1.19.2

References

https://go.dev/issue/54853

https://go.dev/cl/439355

https://groups.google.com/g/golang-announce/c/xtuG5faxtaU

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 14, 2022
Vulnerability Reserved
Aug 17, 2022

Credit

Adam Korczynski (ADA Logics)

OSS-Fuzz

Go Standard Library

What is CVE-2022-2879?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit