Vulnerability Description
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.18.7 |
Related Weaknesses (CWE)
References
- https://go.dev/cl/439355Patch
- https://go.dev/issue/54853Issue TrackingThird Party Advisory
- https://groups.google.com/g/golang-announce/c/xtuG5faxtaUMailing ListRelease Notes
- https://pkg.go.dev/vuln/GO-2022-1037Vendor Advisory
- https://security.gentoo.org/glsa/202311-09
- https://go.dev/cl/439355Patch
- https://go.dev/issue/54853Issue TrackingThird Party Advisory
- https://groups.google.com/g/golang-announce/c/xtuG5faxtaUMailing ListRelease Notes
- https://pkg.go.dev/vuln/GO-2022-1037Vendor Advisory
- https://security.gentoo.org/glsa/202311-09
FAQ
What is CVE-2022-2879?
CVE-2022-2879 is a vulnerability with a CVSS score of 7.5 (HIGH). Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or...
How severe is CVE-2022-2879?
CVE-2022-2879 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2879?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.