CVE-2021-20193 — Missing Release of Memory after Effective Lifetime in TAR

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-125 — Out-of-bounds Read7 documents7 sources

Severity

3.3LOWNVD

EPSS

0.1%

top 78.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU TAR

Timeline

PublishedMar 26

Latest updateMar 15

Description

A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

▶Debiangnu/tar< 1.34+dfsg-1+3

▶NVDgnu/tar1.33

▶CVEListV5gnu/tar1.33 and earlier

Patches

Patch: bugzilla.redhat.com ↗Patch: git.savannah.gnu.org ↗Patch: savannah.gnu.org ↗

🔴Vulnerability Details

GHSA

Out-of-bounds Read and Missing Release of Memory after Effective Lifetime in tar↗2021-05-27

▶

CVEList

CVE-2021-20193: A flaw was found in the src/list↗2021-03-26

▶

OSV

CVE-2021-20193: A flaw was found in the src/list↗2021-03-26

▶

📋Vendor Advisories

Ubuntu

tar vulnerability↗2022-03-15

▶

Red Hat

tar: Memory leak in read_header() in list.c↗2021-01-17

▶

Debian

CVE-2021-20193: tar - A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an ...↗2021

▶