Vulnerability Description
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Tar | <= 1.34 |
| Fedoraproject | Fedora | 37 |
Related Weaknesses (CWE)
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://savannah.gnu.org/bugs/?62387ExploitVendor Advisory
- https://savannah.gnu.org/patch/?10307PatchVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://savannah.gnu.org/bugs/?62387ExploitVendor Advisory
- https://savannah.gnu.org/patch/?10307PatchVendor Advisory
FAQ
What is CVE-2022-48303?
CVE-2022-48303 is a vulnerability with a CVSS score of 5.5 (MEDIUM). GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The iss...
How severe is CVE-2022-48303?
CVE-2022-48303 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-48303?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Tar, Fedoraproject Fedora.