https://source.codeaurora.org/quic/la/platform/prebuilts/go/linux-x86/android-s-beta-1: 1 vulnerabilities (highest severity is: 7.5) #14
Description
Vulnerable Library - https://source.codeaurora.org/quic/la/platform/prebuilts/go/linux-x86/android-s-beta-1
Library home page: https://source.codeaurora.org/quic/la/platform/prebuilts/go/linux-x86/
Vulnerable Source Files (1)
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (https://source.codeaurora.org/quic/la/platform/prebuilts/go/linux-x86/android-s-beta version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-2879 |  High |
7.5 | https://source.codeaurora.org/quic/la/platform/prebuilts/go/linux-x86/android-s-beta-1 | Direct | go1.18.7,go1.19.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-2879
Vulnerable Library - https://source.codeaurora.org/quic/la/platform/prebuilts/go/linux-x86/android-s-beta-1
Library home page: https://source.codeaurora.org/quic/la/platform/prebuilts/go/linux-x86/
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
Publish Date: 2022-10-14
URL: CVE-2022-2879
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2022-1037
Release Date: 2022-10-14
Fix Resolution: go1.18.7,go1.19.2