1. Home
  2. Security Advisories
  3. Go
  4. GO-2022-1037

[GO-2022-1037] Unbounded memory consumption when reading headers in archive/tar

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages Vulnerabilities

Reader.Read does not set a limit on the maximum size of file headers. A
maliciously crafted archive could cause Read to allocate unbounded amounts of
memory, potentially causing resource exhaustion or panics. After fix,
Reader.Read limits the maximum size of header blocks to 1 MiB.

Package Affected Version
pkg:golang/archive/tar >= 1.19.1, < 1.18.7
pkg:golang/archive/tar >= 1.19.1, < 1.19.2
Package Fixed Version
pkg:golang/archive/tar = 1.18.7
pkg:golang/archive/tar = 1.19.2
ID
GO-2022-1037
Severity
high
Severity from
CVE-2022-2879
URL
https://pkg.go.dev/vuln/GO-2022-1037
Published
2022-10-05T21:47:52
(23 months ago)
Modified
2024-07-17T19:54:18
(2 months ago)
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Fixed pkg:golang/archive/tar archive tar = 1.18.7
Affected pkg:golang/archive/tar archive tar >= 1.19.1 < 1.18.7
Fixed pkg:golang/archive/tar archive tar = 1.19.2
Affected pkg:golang/archive/tar archive tar >= 1.19.1 < 1.19.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date