What is CVE-2022-48303?

CVE-2022-48303 is a vulnerability in the Tar package that allows a remote attacker to cause a heap-based buffer overflow by persuading a victim to open a specially-crafted V7 file.

What is the severity of CVE-2022-48303?

CVE-2022-48303 has a severity score of 7.8 (high).

How does CVE-2022-48303 affect GNU Tar?

CVE-2022-48303 affects GNU Tar by causing a heap-based buffer overflow in the from_header() function in list.c when processing V7 archive files.

How can CVE-2022-48303 be fixed?

To fix CVE-2022-48303, it is recommended to update the affected GNU Tar package to version 2:1.30-6.el8_7.1 or higher.

Are there any references for CVE-2022-48303?

Yes, here are some references to learn more about CVE-2022-48303: - [GNU Savannah](https://savannah.gnu.org/bugs/?62387) - [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2149724) - [GNU Savannah Patch](https://savannah.gnu.org/patch/?10307)

Vulnerability/
CVE-2022-48303

high

7.8

CWE

119 125

30/4/2022

30/1/2023

3/8/2024

CVE-2022-48303: Buffer Overflow

First published: Sat Apr 30 2022(Updated: )

A flaw was found in the Tar package. When attempting to read files with old V7 tar format with a specially crafted checksum, an invalid memory read may occur. An attacker could possibly use this issue to expose sensitive information or cause a crash.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/tar	<2:1.30-6.el8_7.1	2:1.30-6.el8_7.1
redhat/tar	<2:1.30-5.el8_6.1	2:1.30-5.el8_6.1
redhat/tar	<2:1.34-6.el9_1	2:1.34-6.el9_1
GNU tar	<=1.34
Fedoraproject Fedora	=37
Fedoraproject Fedora	=38
IBM Cloud Pak for Security	<=1.10.0.0 - 1.10.11.0
IBM QRadar Suite Software	<=1.10.12.0 - 1.10.16.0
debian/tar	<=1.30+dfsg-6<=1.30+dfsg-6+deb10u1	1.34+dfsg-1+deb11u1 1.34+dfsg-1.2+deb12u1 1.35+dfsg-3

Remedy

https://savannah.gnu.org/patch/?10307

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2022-48303?
CVE-2022-48303 is a vulnerability in the Tar package that allows a remote attacker to cause a heap-based buffer overflow by persuading a victim to open a specially-crafted V7 file.
What is the severity of CVE-2022-48303?
CVE-2022-48303 has a severity score of 7.8 (high).
How does CVE-2022-48303 affect GNU Tar?
CVE-2022-48303 affects GNU Tar by causing a heap-based buffer overflow in the from_header() function in list.c when processing V7 archive files.
How can CVE-2022-48303 be fixed?
To fix CVE-2022-48303, it is recommended to update the affected GNU Tar package to version 2:1.30-6.el8_7.1 or higher.
Are there any references for CVE-2022-48303?
Yes, here are some references to learn more about CVE-2022-48303: - [GNU Savannah](https://savannah.gnu.org/bugs/?62387) - [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2149724) - [GNU Savannah Patch](https://savannah.gnu.org/patch/?10307)

collector/redhat-bugzilla
alias/CVE-2022-48303
collector/redhat-cve
collector/nvd-index
agent/type
agent/last-modified-date
agent/first-publish-date
agent/remedy
agent/severity
agent/weakness
agent/references
agent/author
agent/event
agent/description
collector/security-tracker-debian
source/Debian
agent/software-canonical-lookup
agent/softwarecombine
collector/ibm-support
source/IBM
agent/tags
collector/mitre-cve
source/MITRE
package-manager/redhat
vendor/gnu
canonical/gnu tar
version/gnu tar/1.34
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/37
version/fedoraproject fedora/38
package-manager/debian
vendor/ibm
canonical/ibm cloud pak for security
version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
canonical/ibm qradar suite software
version/ibm qradar suite software/1.10.12.0 - 1.10.16.0