VDB
RHSA-2023%3A1079
RHSA-2023%3A1079
PUBLISHED
CVSS 6.5 MEDIUM
A flaw was found in the golang package, where Reader.Read does not set a limit on the maximum size of file headers. After fixing, Reader.Read limits the maximum size of header blocks to 1 MiB. This flaw allows a maliciously crafted archive to cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panic.
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64 as a component of Red Hat OpenStack Platform 16.2 | rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64 |
| golang | go | |
| Red Hat | rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64 as a component of Red Hat OpenStack Platform 16.2 | rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64, *, rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64 |
| Red Hat | rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64 as a component of Red Hat OpenStack Platform 16.2 | rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64 |
| Red Hat | rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64 as a component of Red Hat OpenStack Platform 16.2 | rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64 |
| Red Hat | rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64 as a component of Red Hat OpenStack Platform 16.2 | rhosp-rhel8/osp-director-downloader@sha256:967c3a522c29c2d4cc5e7cb5753d835d8cf6f81100c5c2f04fe8582de33e88e3_amd64, *, * |
| Red Hat | rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64 as a component of Red Hat OpenStack Platform 16.2 | *, *, rhosp-rhel8/osp-director-operator@sha256:c49a0a5b2f1ff5068a4e6494ba3a1ccbebd9e2dfb6fd99364b9190d1225e19df_amd64 |
| Red Hat | rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64 as a component of Red Hat OpenStack Platform 16.2 | *, rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64, rhosp-rhel8/osp-director-agent@sha256:ebd4fcfacd4c31baee7498562d219ad6e7210a41b6b8cc05b6fc941b4c5d325f_amd64 |
| Red Hat | rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64 as a component of Red Hat OpenStack Platform 16.2 | rhosp-rhel8/osp-director-operator-bundle@sha256:10b0abbec12aecb237e4b25b059c1187bdbd63273ab8313bd9d51c9730caca99_amd64 |
Timeline
- Mar 6, 2023 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 9, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2023:1079 advisory
- https://access.redhat.com/security/updates/classification/#moderate advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2132867 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2132872 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2161274 issue
- https://issues.redhat.com/browse/OSPK8-664 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1079.json advisory
- https://access.redhat.com/security/cve/CVE-2022-2879 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-2879 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-2879 advisory
- https://github.com/golang/go/issues/54853 advisory
- https://github.com/vbatts/tar-split/releases/tag/v0.12.1 advisory
- https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1 advisory
- https://access.redhat.com/security/cve/CVE-2022-41715 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-41715 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-41715 advisory
- https://github.com/golang/go/issues/55949 advisory
- https://access.redhat.com/security/cve/CVE-2022-41717 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-41717 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-41717 advisory
…and 5 more