CVE-2024-28863

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-28863
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-28863.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-28863
Aliases
Related
Published
2024-03-21T23:15:10Z
Modified
2024-10-12T11:21:22.733195Z
Summary
[none]
Details

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

References

Affected packages

Debian:11 / node-tar

Package

Name
node-tar
Purl
pkg:deb/debian/node-tar?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.0.5+ds1+~cs11.3.9-1
6.0.5+ds1+~cs11.3.9-1+deb11u1
6.0.5+ds1+~cs11.3.9-1+deb11u2
6.1.0+ds1+~cs11.3.9-1
6.1.7+~cs11.3.10-1
6.1.11+~cs11.2.13-1~bpo11+1
6.1.11+~cs11.3.10-1~bpo11+1
6.1.11+~cs11.3.10-1
6.1.11+ds1+~cs6.0.6-1
6.1.11+ds1+~cs6.0.6-2
6.1.12+~cs6.1.5-1
6.1.13+~cs7.0.5-1
6.1.13+~cs7.0.5-2
6.1.13+~cs7.0.5-3
6.1.13+~cs7.0.5-4
6.2.1+~cs7.0.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-tar

Package

Name
node-tar
Purl
pkg:deb/debian/node-tar?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.1.13+~cs7.0.5-1
6.1.13+~cs7.0.5-2
6.1.13+~cs7.0.5-3
6.1.13+~cs7.0.5-4
6.2.1+~cs7.0.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-tar

Package

Name
node-tar
Purl
pkg:deb/debian/node-tar?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.13+~cs7.0.5-2

Affected versions

6.*

6.1.13+~cs7.0.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/isaacs/node-tar

Affected ranges

Type
GIT
Repo
https://github.com/isaacs/node-tar
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.1.0
0.1.10
0.1.11
0.1.12
0.1.13
0.1.2
0.1.3
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9

v0.*

v0.1.14
v0.1.15
v0.1.16
v0.1.17
v0.1.18
v0.1.19
v0.1.20

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3

v2.*

v2.0.0
v2.0.1
v2.1.0
v2.1.1
v2.2.1

v3.*

v3.0.0
v3.0.1
v3.1.0
v3.1.1
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0

v4.*

v4.0.0
v4.0.1
v4.0.2
v4.1.0
v4.1.1
v4.1.2
v4.2.0
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.4.0
v4.4.1
v4.4.10
v4.4.11
v4.4.12
v4.4.13
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9

v5.*

v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5

v6.*

v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.1.0
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2.0