Vulnerability Details : CVE-2022-2879
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
Products affected by CVE-2022-2879
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-2879
0.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 1 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-2879
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-2879
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-2879
-
https://go.dev/cl/439355
archive/tar: limit size of headers (I85136d6f) · Gerrit Code ReviewPatch
-
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
[security] Go 1.19.2 and Go 1.18.7 are releasedMailing List;Release Notes
-
https://security.gentoo.org/glsa/202311-09
Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security
-
https://pkg.go.dev/vuln/GO-2022-1037
GO-2022-1037 - Go PackagesVendor Advisory
-
https://go.dev/issue/54853
archive/tar: unbounded memory consumption when reading headers · Issue #54853 · golang/go · GitHubIssue Tracking;Third Party Advisory
Jump to