CVE-2022-2879

Published: Oct 14, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

Affected (2)

Products: Golang: Go

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.18.7
Golang Go	From 1.19.0 to 1.19.2

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (10)

https://go.dev/cl/439355

Source: security@golang.org

Patch

https://go.dev/issue/54853

Source: security@golang.org

Issue TrackingThird Party Advisory

https://groups.google.com/g/golang-announce/c/xtuG5faxtaU

Source: security@golang.org

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2022-1037

Source: security@golang.org

Vendor Advisory

https://security.gentoo.org/glsa/202311-09

Source: security@golang.org

https://go.dev/cl/439355

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://go.dev/issue/54853

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://groups.google.com/g/golang-announce/c/xtuG5faxtaU

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2022-1037

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.gentoo.org/glsa/202311-09

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.