{
  "threat_severity" : "Low",
  "public_date" : "2023-12-11T00:00:00Z",
  "bugzilla" : {
    "description" : "tar: Incorrectly handled extension attributes in PAX archives can lead to a crash",
    "id" : "2254067",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2254067"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-121",
  "details" : [ "In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.", "A flaw was found in tar. This issue occurs when extended attributes are processed in PAX archives, and could allow an attacker to cause an application crash, resulting in a denial of service." ],
  "statement" : "To exploit this flaw, an attacker needs to trick a user into processing a malicious archive, causing only an application crash. For these reasons, this flaw was rated with a low, and not moderate, severity.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tar",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "tar",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "tar",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "tar",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-39804\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39804" ],
  "name" : "CVE-2023-39804",
  "mitigation" : {
    "value" : "Do not process untrusted tar archives.",
    "lang" : "en:us"
  },
  "csaw" : false
}