tar-split memory exhaustion

RSS Feed MODERATE

GHSA-hqwh-8xv9-42hw CVE-2017-14992

Description:

Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.

Affected Packages

Ecosystem	Package	Vulnerable Versions	Patched Version
go	`github.com/vbatts/tar-split`	`< 0.10.2`	`0.10.2`

Related Dependabot Pull Requests

All Open Closed Merged

No Related Pull Requests

No Dependabot pull requests have been found that reference this security advisory.

Actions

View on GitHub All Advisories

Advisory Details

Published:	May 17, 2022 about 4 years ago
Updated:	June 07, 2026 9 days ago
CVSS Score:	6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS:	0.42% 62th percentile
Source:	Github
Classification:	GENERAL
UUID:	`GSA_kwCzR0hTQS1ocXdoLTh4djktNDJod84AAYKW`

References

https://nvd.nist.gov/vuln/detail/CVE-2017-14992
https://github.com/moby/moby/issues/35075
https://github.com/vbatts/tar-split/pull/42
https://github.com/vbatts/tar-split/releases/tag/v0.10.2
https://web.archive.org/web/20171119174639/https://blog.cloudpassage.com/2017/10/13/discovering-docker-cve-2017-14992
https://github.com/advisories/GHSA-hqwh-8xv9-42hw

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Dependabot