CVE-2024-28863

CVSS V2 None CVSS V3 None

Description

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Overview

CVE ID
CVE-2024-28863

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-03-21T22:10:23.603Z

Last Modified Date
2024-03-21T22:10:23.603Z

Weakness Enumerations

CWE	URL
CWE-400	http://cwe.mitre.org/data/definitions/400.html
CWE-770	http://cwe.mitre.org/data/definitions/770.html

References

Reference URL	Reference Tags
https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36	x_refsource_CONFIRM
https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7	x_refsource_MISC
https://security.netapp.com/advisory/ntap-20240524-0005/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-28863
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28863

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 07:58:51				Added to TrackCVE