Lucene search

K
cveGoCVE-2022-2879
HistoryOct 14, 2022 - 3:15 p.m.

CVE-2022-2879

2022-10-1415:15:17
CWE-770
Go
web.nvd.nist.gov
328
3
cve-2022-2879
unbounded memory allocation
reader.read
resource exhaustion
panic
nvd

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

0.002

Percentile

58.9%

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

Affected configurations

Nvd
Node
golanggoRange<1.18.7
OR
golanggoRange1.19.01.19.2
VendorProductVersionCPE
golanggo*cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "Go standard library",
    "product": "archive/tar",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "archive/tar",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.18.7",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.19.0-0",
        "lessThan": "1.19.2",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "Reader.next"
      },
      {
        "name": "parsePAX"
      },
      {
        "name": "Writer.writePAXHeader"
      },
      {
        "name": "Reader.Next"
      },
      {
        "name": "Writer.WriteHeader"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Social References

More

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

0.002

Percentile

58.9%