CVE-2022-2879
Unbounded memory consumption when reading headers in archive/tar
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
Reader.Read no establece un límite en el tamaño máximo de los encabezados de los archivos. Un archivo diseñado de forma maliciosa podía causar que Read asignara cantidades ilimitadas de memoria, causando potencialmente el agotamiento de los recursos o el pánico. Tras la corrección, Reader.Read limita el tamaño máximo de los bloques de encabezado a 1 MiB
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-08-17 CVE Reserved
- 2022-10-14 CVE Published
- 2024-06-04 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://go.dev/issue/54853 | Issue Tracking | |
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU | Mailing List | |
https://security.gentoo.org/glsa/202311-09 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://go.dev/cl/439355 | 2023-11-25 |
URL | Date | SRC |
---|---|---|
https://pkg.go.dev/vuln/GO-2022-1037 | 2023-11-25 | |
https://access.redhat.com/security/cve/CVE-2022-2879 | 2024-05-22 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2132867 | 2024-05-22 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.18.7 Search vendor "Golang" for product "Go" and version " < 1.18.7" | - |
Affected
| ||||||
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.19.0 < 1.19.2 Search vendor "Golang" for product "Go" and version " >= 1.19.0 < 1.19.2" | - |
Affected
|