CVE-2022-2879 - OpenCVE

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Golang	Go

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

References

Link	Resource
https://go.dev/cl/439355	Patch
https://go.dev/issue/54853	Issue Tracking Third Party Advisory
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU	Mailing List Release Notes
https://pkg.go.dev/vuln/GO-2022-1037	Vendor Advisory
https://security.gentoo.org/glsa/202311-09

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Go

Published: 2022-10-14T00:00:00

Updated: 2023-06-12T19:05:28.975Z

Reserved: 2022-08-17T00:00:00

Link: CVE-2022-2879

JSON object: View

NVD Information

Status : Modified

Published: 2022-10-14T15:15:17.647

Modified: 2023-11-25T11:15:09.553

Link: CVE-2022-2879

JSON object: View

Redhat Information

No data.

CWE

CWE-770

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CB667C1-EC12-4400-B4F0-6D3B7DDAAD99", "versionEndExcluding": "1.18.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "7614AA04-CA34-4ED8-B580-005EA84BD5B4", "versionEndExcluding": "1.19.2", "versionStartIncluding": "1.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB."}, {"lang": "es", "value": "Reader.Read no establece un l\u00edmite en el tama\u00f1o m\u00e1ximo de los encabezados de los archivos. Un archivo dise\u00f1ado de forma maliciosa pod\u00eda causar que Read asignara cantidades ilimitadas de memoria, causando potencialmente el agotamiento de los recursos o el p\u00e1nico. Tras la correcci\u00f3n, Reader.Read limita el tama\u00f1o m\u00e1ximo de los bloques de encabezado a 1 MiB"}], "id": "CVE-2022-2879", "lastModified": "2023-11-25T11:15:09.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-14T15:15:17.647", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/439355"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://go.dev/issue/54853"}, {"source": "security@golang.org", "tags": ["Mailing List", "Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2022-1037"}, {"source": "security@golang.org", "url": "https://security.gentoo.org/glsa/202311-09"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}