Bug 2293200 (CVE-2024-28863) - CVE-2024-28863 node-tar: denial of service while parsing a tar file due to lack of folders depth validation
Summary: CVE-2024-28863 node-tar: denial of service while parsing a tar file due to la...
Keywords:
Status: NEW
Alias: CVE-2024-28863
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2293210 2293211 2293212 2293220 2293213 2293214 2293216 2293217 2293218 2293219 2293221 2293238 2293255 2293256 2293257 2293258 2299178 2299179 2299180 2310139 2310140 2310153 2310154 2311072 2311074 2311076 2311078 2311081 2311082 2311083 2311084 2311086
Blocks: 2293261
TreeView+ depends on / blocked
 
Reported: 2024-06-20 09:18 UTC by TEJ RATHI
Modified: 2025-03-17 23:45 UTC (History)
128 users (show)

Fixed In Version: node-tar 6.2.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:5947 0 None None None 2024-08-28 16:06:20 UTC
Red Hat Product Errata RHBA-2024:5950 0 None None None 2024-08-28 17:05:23 UTC
Red Hat Product Errata RHBA-2024:5954 0 None None None 2024-08-28 17:37:21 UTC
Red Hat Product Errata RHBA-2024:6154 0 None None None 2024-09-03 05:23:10 UTC
Red Hat Product Errata RHBA-2024:6231 0 None None None 2024-09-03 14:24:01 UTC
Red Hat Product Errata RHBA-2024:6431 0 None None None 2024-09-05 14:55:07 UTC
Red Hat Product Errata RHSA-2024:4591 0 None None None 2024-07-17 13:25:09 UTC
Red Hat Product Errata RHSA-2024:5814 0 None None None 2024-08-26 08:29:09 UTC
Red Hat Product Errata RHSA-2024:6147 0 None None None 2024-09-03 02:23:05 UTC
Red Hat Product Errata RHSA-2024:6148 0 None None None 2024-09-03 02:25:00 UTC
Red Hat Product Errata RHSA-2024:6755 0 None None None 2024-09-18 11:58:09 UTC
Red Hat Product Errata RHSA-2024:7164 0 None None None 2024-09-26 03:47:18 UTC
Red Hat Product Errata RHSA-2024:8906 0 None None None 2024-11-05 17:24:40 UTC

Description TEJ RATHI 2024-06-20 09:18:22 UTC 
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7
https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
https://security.netapp.com/advisory/ntap-20240524-0005/
Comment 1 TEJ RATHI 2024-06-20 10:31:36 UTC 
Created nodejs18 tracking bugs for this issue:

Affects: fedora-39 [bug 2293213]
Affects: fedora-40 [bug 2293218]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-39 [bug 2293214]
Affects: fedora-40 [bug 2293219]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2293210]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2293211]


Created rstudio tracking bugs for this issue:

Affects: fedora-39 [bug 2293216]
Affects: fedora-40 [bug 2293220]


Created yarnpkg tracking bugs for this issue:

Affects: epel-8 [bug 2293212]
Affects: fedora-39 [bug 2293217]
Affects: fedora-40 [bug 2293221]
Comment 20 errata-xmlrpc 2024-07-17 13:25:01 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591
Comment 21 errata-xmlrpc 2024-08-26 08:29:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5814 https://access.redhat.com/errata/RHSA-2024:5814
Comment 23 errata-xmlrpc 2024-09-03 02:22:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6147 https://access.redhat.com/errata/RHSA-2024:6147
Comment 24 errata-xmlrpc 2024-09-03 02:24:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6148 https://access.redhat.com/errata/RHSA-2024:6148
Comment 25 errata-xmlrpc 2024-09-18 11:58:03 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755
Comment 26 errata-xmlrpc 2024-09-26 03:47:12 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:7164 https://access.redhat.com/errata/RHSA-2024:7164
Comment 28 errata-xmlrpc 2024-11-05 17:24:33 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2024:8906 https://access.redhat.com/errata/RHSA-2024:8906
Note You need to log in before you can comment on or make changes to this bug.