CVE-2022-2879

Summary

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

Affected Software

VendorProductVersion RangeStatus
Go standard libraryarchive/tar0 < 1.18.7affected
Go standard libraryarchive/tar1.19.0-0 < 1.19.2affected

Weaknesses

  • CWE 400: Uncontrolled Resource Consumption

ADP Enrichment

CVE Program Container

Additional References

References