CVE-2024-28863

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-28863

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-28863.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-28863

Aliases

GHSA-f5x3-32g6-xq36

Related

Published

2024-03-21T23:15:10Z

Modified

2024-09-18T03:26:13.762564Z

Summary

[none]

Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

References

Affected packages

Debian:11 / node-tar

Package

Name: node-tar
Purl: pkg:deb/debian/node-tar?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.0.5+ds1+~cs11.3.9-1

6.0.5+ds1+~cs11.3.9-1+deb11u1

6.0.5+ds1+~cs11.3.9-1+deb11u2

6.1.0+ds1+~cs11.3.9-1

6.1.7+~cs11.3.10-1

6.1.11+~cs11.2.13-1~bpo11+1

6.1.11+~cs11.3.10-1~bpo11+1

6.1.11+~cs11.3.10-1

6.1.11+ds1+~cs6.0.6-1

6.1.11+ds1+~cs6.0.6-2

6.1.12+~cs6.1.5-1

6.1.13+~cs7.0.5-1

6.1.13+~cs7.0.5-2

6.1.13+~cs7.0.5-3

6.1.13+~cs7.0.5-4

6.2.1+~cs7.0.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-tar

Package

Name: node-tar
Purl: pkg:deb/debian/node-tar?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.1.13+~cs7.0.5-1

6.1.13+~cs7.0.5-2

6.1.13+~cs7.0.5-3

6.1.13+~cs7.0.5-4

6.2.1+~cs7.0.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-tar

Package

Name: node-tar
Purl: pkg:deb/debian/node-tar?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.13+~cs7.0.5-2

Affected versions

6.*

6.1.13+~cs7.0.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/isaacs/node-tar

Affected ranges

Type: GIT
Repo: https://github.com/isaacs/node-tar
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fe8cd57da5686f8695415414bda49206a545f7f7

Affected versions

0.*

0.1.0

0.1.10

0.1.11

0.1.12

0.1.13

0.1.2

0.1.3

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

v0.*

v0.1.14

v0.1.15

v0.1.16

v0.1.17

v0.1.18

v0.1.19

v0.1.20

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.1.1

v2.2.1

v3.*

v3.0.0

v3.0.1

v3.1.0

v3.1.1

v3.1.10

v3.1.11

v3.1.12

v3.1.13

v3.1.14

v3.1.15

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v3.2.0

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.1.0

v4.1.1

v4.1.2

v4.2.0

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.4.0

v4.4.1

v4.4.10

v4.4.11

v4.4.12

v4.4.13

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

v4.4.7

v4.4.8

v4.4.9

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.1.0

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.2.0