摘要:
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
安全等级: Low
公告ID: KylinSec-SA-2024-2527
发布日期: 2024年5月27日
关联CVE: CVE-2024-28863
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2024-28863 | KY3.4-4A | nodejs-tar | Unaffected |
| CVE-2024-28863 | KY3.4-5 | nodejs-tar | Unaffected |
| CVE-2024-28863 | KY3.5.1 | nodejs-tar | Unaffected |
| CVE-2024-28863 | KY3.5.2 | nodejs-tar | Unaffected |
| CVE-2024-28863 | V6 | nodejs-tar | Unaffected |
