CVE-2024-28863 - OpenCVE

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7
https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
https://security.netapp.com/advisory/ntap-20240524-0005/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-21T22:10:23.603Z

Updated: 2024-03-21T22:10:23.603Z

Reserved: 2024-03-11T22:45:07.686Z

Link: CVE-2024-28863

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-03-21T23:15:10.910

Modified: 2024-06-10T17:16:24.773

Link: CVE-2024-28863

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-28863", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-11T22:45:07.686Z", "datePublished": "2024-03-21T22:10:23.603Z", "dateUpdated": "2024-03-21T22:10:23.603Z"}, "containers": {"cna": {"title": "node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36"}, {"name": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", "tags": ["x_refsource_MISC"], "url": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7"}, {"url": "https://security.netapp.com/advisory/ntap-20240524-0005/"}], "affected": [{"vendor": "isaacs", "product": "node-tar", "versions": [{"version": "< 6.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-21T22:10:23.603Z"}, "descriptions": [{"lang": "en", "value": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders."}], "source": {"advisory": "GHSA-f5x3-32g6-xq36", "discovery": "UNKNOWN"}}}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders."}, {"lang": "es", "value": "node-tar es un Tar para Node.js. Node-tar anterior a la versi\u00f3n 6.2.1 no tiene l\u00edmite en la cantidad de subcarpetas creadas en el proceso de creaci\u00f3n de carpetas. Un atacante que genera una gran cantidad de subcarpetas puede consumir memoria en el sistema que ejecuta node-tar e incluso bloquear el cliente Node.js a los pocos segundos de ejecutarlo usando una ruta con demasiadas subcarpetas dentro. La versi\u00f3n 6.2.1 soluciona este problema impidiendo la extracci\u00f3n en subcarpetas excesivamente profundas."}], "id": "CVE-2024-28863", "lastModified": "2024-06-10T17:16:24.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-21T23:15:10.910", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7"}, {"source": "security-advisories@github.com", "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240524-0005/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}