CVE-2022-2879

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://go.dev/cl/439355	Patch
https://go.dev/issue/54853	Issue Tracking Third Party Advisory
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU	Mailing List Release Notes
https://pkg.go.dev/vuln/GO-2022-1037	Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://go.dev/cl/439355	Patch
https://go.dev/issue/54853	Issue Tracking Third Party Advisory
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU	Mailing List Release Notes
https://pkg.go.dev/vuln/GO-2022-1037	Vendor Advisory
https://security.gentoo.org/glsa/202311-09

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

History

21 Nov 2024, 07:01

Type	Values Removed	Values Added
References	~~() https://go.dev/cl/439355 - Patch~~	() https://go.dev/cl/439355 - Patch
References	~~() https://go.dev/issue/54853 - Issue Tracking, Third Party Advisory~~	() https://go.dev/issue/54853 - Issue Tracking, Third Party Advisory
References	~~() https://groups.google.com/g/golang-announce/c/xtuG5faxtaU - Mailing List, Release Notes~~	() https://groups.google.com/g/golang-announce/c/xtuG5faxtaU - Mailing List, Release Notes
References	~~() https://pkg.go.dev/vuln/GO-2022-1037 - Vendor Advisory~~	() https://pkg.go.dev/vuln/GO-2022-1037 - Vendor Advisory
References	~~() https://security.gentoo.org/glsa/202311-09 -~~	() https://security.gentoo.org/glsa/202311-09 -

25 Nov 2023, 11:15

Type	Values Removed	Values Added
References		() https://security.gentoo.org/glsa/202311-09 -

Information

Published : 2022-10-14 15:15

Updated : 2024-11-21 07:01

NVD link : CVE-2022-2879

Mitre link : CVE-2022-2879

CVE.ORG link : CVE-2022-2879

JSON object : View

Products Affected

golang

go

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2022-2879", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-10-14T15:15:17.647", "references": [{"url": "https://go.dev/cl/439355", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/54853", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU", "tags": ["Mailing List", "Release Notes"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2022-1037", "tags": ["Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://security.gentoo.org/glsa/202311-09", "source": "security@golang.org"}, {"url": "https://go.dev/cl/439355", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://go.dev/issue/54853", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU", "tags": ["Mailing List", "Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://pkg.go.dev/vuln/GO-2022-1037", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202311-09", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB."}, {"lang": "es", "value": "Reader.Read no establece un l\u00edmite en el tama\u00f1o m\u00e1ximo de los encabezados de los archivos. Un archivo dise\u00f1ado de forma maliciosa pod\u00eda causar que Read asignara cantidades ilimitadas de memoria, causando potencialmente el agotamiento de los recursos o el p\u00e1nico. Tras la correcci\u00f3n, Reader.Read limita el tama\u00f1o m\u00e1ximo de los bloques de encabezado a 1 MiB"}], "lastModified": "2024-11-21T07:01:51.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9CB667C1-EC12-4400-B4F0-6D3B7DDAAD99", "versionEndExcluding": "1.18.7"}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7614AA04-CA34-4ED8-B580-005EA84BD5B4", "versionEndExcluding": "1.19.2", "versionStartIncluding": "1.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}