GNU tar vulnerability could lead to application crash
CVE-2023-39804

6.2MEDIUM

Key Information:

Vendor: GNU
Status: Tar
Vendor: CVE Published:; 27 March 2024

What is CVE-2023-39804?

In versions of GNU Tar prior to 1.35, there exists a vulnerability that arises from the improper handling of extension attributes in PAX archives. This flaw in the xheader.c file can lead to application crashes, posing a risk to system stability and data integrity. Maliciously crafted PAX archives may exploit this vulnerability, emphasizing the importance of updating to the latest version to mitigate potential threats.

References

https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339...

https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheade...

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2024
Vulnerability Reserved
Aug 7, 2023

JSON