Search criteria
18 vulnerabilities found for octorpki by Cloudflare
CVE-2021-3978 (GCVE-0-2021-3978)
Vulnerability from nvd – Published: 2025-01-29 10:00 – Updated: 2025-02-12 16:03
VLAI?
Title
Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki
Summary
When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation.
Severity ?
7.5 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
0 , < v1.4.2
(semver)
|
Credits
Ties de Kock
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-3978",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:19:06.799392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:03:40.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/cloudflare/cfrpki/cmd/octorpki",
"defaultStatus": "unaffected",
"packageName": "octorpki",
"platforms": [
"Go"
],
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "v1.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ties de Kock"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service\"\u003ehttps://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service\u003c/a\u003e) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."
}
],
"value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T10:00:53.237Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85"
}
],
"source": {
"advisory": "GHSA-3pqh-p72c-fj85",
"discovery": "EXTERNAL"
},
"title": "Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3978",
"datePublished": "2025-01-29T10:00:53.237Z",
"dateReserved": "2021-11-18T20:10:42.977Z",
"dateUpdated": "2025-02-12T16:03:40.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3616 (GCVE-0-2022-3616)
Vulnerability from nvd – Published: 2022-10-28 06:24 – Updated: 2025-05-05 19:19
VLAI?
Title
OctoRPKI crash when maximum iterations number is reached
Summary
Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.
Severity ?
5.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | OctoRPKI |
Affected:
0 , < <1.4.4
(semver)
|
Credits
Donika Mirdita - Fraunhofer SIT, ATHENE
Haya Shulman - Fraunhofer SIT, ATHENE
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:03.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3616",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T19:18:52.761100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T19:19:50.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Go"
],
"product": "OctoRPKI",
"repo": "https://github.com/cloudflare/cfrpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "\u003c1.4.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Donika Mirdita - Fraunhofer SIT, ATHENE "
},
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Haya Shulman - Fraunhofer SIT, ATHENE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAttackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to\u0026nbsp;Donika Mirdita and\u0026nbsp;Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to\u00a0Donika Mirdita and\u00a0Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-834",
"description": "CWE-834 Excessive Iteration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-29T08:43:36.139Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc"
}
],
"source": {
"advisory": "GHSA-pmw9-567p-68pc",
"discovery": "EXTERNAL"
},
"title": "OctoRPKI crash when maximum iterations number is reached",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-3616",
"datePublished": "2022-10-28T06:24:44.189Z",
"dateReserved": "2022-10-20T11:13:34.797Z",
"dateUpdated": "2025-05-05T19:19:50.911Z",
"requesterUserId": "25b7b156-39bf-4f6b-8c25-8bc69c5c5e82",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3912 (GCVE-0-2021-3912)
Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:41
VLAI?
Title
OctoRPKI crashes when processing GZIP bomb returned via malicious repository
Summary
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
Severity ?
4.2 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.0
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:14",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OctoRPKI crashes when processing GZIP bomb returned via malicious repository",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:54:00.000Z",
"ID": "CVE-2021-3912",
"STATE": "PUBLIC",
"TITLE": "OctoRPKI crashes when processing GZIP bomb returned via malicious repository"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3912",
"datePublished": "2021-11-11T21:45:24.415500Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-16T23:41:30.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3911 (GCVE-0-2021-3911)
Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-16 22:31
VLAI?
Title
Misconfigured IP address field in ROA leads to OctoRPKI crash
Summary
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
Severity ?
4.2 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.0
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:22",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Misconfigured IP address field in ROA leads to OctoRPKI crash",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:52:00.000Z",
"ID": "CVE-2021-3911",
"STATE": "PUBLIC",
"TITLE": "Misconfigured IP address field in ROA leads to OctoRPKI crash"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3911",
"datePublished": "2021-11-11T21:45:22.690851Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-16T22:31:10.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3910 (GCVE-0-2021-3910)
Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-17 03:27
VLAI?
Title
NUL character in ROA causes OctoRPKI to crash
Summary
OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).
Severity ?
4.4 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.0
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\\0) character)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:28",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NUL character in ROA causes OctoRPKI to crash",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:48:00.000Z",
"ID": "CVE-2021-3910",
"STATE": "PUBLIC",
"TITLE": "NUL character in ROA causes OctoRPKI to crash"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\\0) character)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3910",
"datePublished": "2021-11-11T21:45:21.177058Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-17T03:27:37.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3909 (GCVE-0-2021-3909)
Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:06
VLAI?
Title
Infinite open connection causes OctoRPKI to hang forever
Summary
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
Severity ?
4.4 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.0
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
},
{
"name": "DSA-5033",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:24",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
},
{
"name": "DSA-5033",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Infinite open connection causes OctoRPKI to hang forever",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:41:00.000Z",
"ID": "CVE-2021-3909",
"STATE": "PUBLIC",
"TITLE": "Infinite open connection causes OctoRPKI to hang forever"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
},
{
"name": "DSA-5033",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3909",
"datePublished": "2021-11-11T21:45:19.611444Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-16T23:06:15.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3908 (GCVE-0-2021-3908)
Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:21
VLAI?
Title
Infinite certificate chain depth results in OctoRPKI running forever
Summary
OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.
Severity ?
5.9 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.0
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:18",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Infinite certificate chain depth results in OctoRPKI running forever",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:28:00.000Z",
"ID": "CVE-2021-3908",
"STATE": "PUBLIC",
"TITLE": "Infinite certificate chain depth results in OctoRPKI running forever"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3908",
"datePublished": "2021-11-11T21:45:18.120994Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-16T23:21:31.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3907 (GCVE-0-2021-3907)
Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-17 03:18
VLAI?
Title
Arbitrary filepath traversal via URI injection
Summary
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
Severity ?
7.4 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.3
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
},
{
"name": "DSA-5033",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OctoRPKI does not escape a URI with a filename containing \"..\", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-23T12:10:10",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
},
{
"name": "DSA-5033",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4.3"
}
],
"source": {
"advisory": "GHSA-3jhm-87m6-x959",
"discovery": "EXTERNAL"
},
"title": "Arbitrary filepath traversal via URI injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:16:00.000Z",
"ID": "CVE-2021-3907",
"STATE": "PUBLIC",
"TITLE": "Arbitrary filepath traversal via URI injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.3"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OctoRPKI does not escape a URI with a filename containing \"..\", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
},
{
"name": "DSA-5033",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
},
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4.3"
}
],
"source": {
"advisory": "GHSA-3jhm-87m6-x959",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3907",
"datePublished": "2021-11-11T21:45:16.585289Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-17T03:18:30.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3761 (GCVE-0-2021-3761)
Vulnerability from nvd – Published: 2021-09-09 14:05 – Updated: 2024-09-17 02:56
VLAI?
Title
OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values
Summary
Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.
Severity ?
7.5 (High)
CWE
- Missing out of bounds check
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.3.0
(custom)
|
Credits
Job Snijders
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:08.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Job Snijders"
}
],
"datePublic": "2021-09-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP \"MaxLength\" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as \"RPKI invalid\". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing out of bounds check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:26",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.3.0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-09-03T16:28:00.000Z",
"ID": "CVE-2021-3761",
"STATE": "PUBLIC",
"TITLE": "OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.3.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Job Snijders"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP \"MaxLength\" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as \"RPKI invalid\". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing out of bounds check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.3.0"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3761",
"datePublished": "2021-09-09T14:05:09.349774Z",
"dateReserved": "2021-09-01T00:00:00",
"dateUpdated": "2024-09-17T02:56:31.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3978 (GCVE-0-2021-3978)
Vulnerability from cvelistv5 – Published: 2025-01-29 10:00 – Updated: 2025-02-12 16:03
VLAI?
Title
Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki
Summary
When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation.
Severity ?
7.5 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
0 , < v1.4.2
(semver)
|
Credits
Ties de Kock
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-3978",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:19:06.799392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:03:40.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/cloudflare/cfrpki/cmd/octorpki",
"defaultStatus": "unaffected",
"packageName": "octorpki",
"platforms": [
"Go"
],
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "v1.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ties de Kock"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service\"\u003ehttps://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service\u003c/a\u003e) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."
}
],
"value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T10:00:53.237Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85"
}
],
"source": {
"advisory": "GHSA-3pqh-p72c-fj85",
"discovery": "EXTERNAL"
},
"title": "Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3978",
"datePublished": "2025-01-29T10:00:53.237Z",
"dateReserved": "2021-11-18T20:10:42.977Z",
"dateUpdated": "2025-02-12T16:03:40.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3616 (GCVE-0-2022-3616)
Vulnerability from cvelistv5 – Published: 2022-10-28 06:24 – Updated: 2025-05-05 19:19
VLAI?
Title
OctoRPKI crash when maximum iterations number is reached
Summary
Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.
Severity ?
5.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | OctoRPKI |
Affected:
0 , < <1.4.4
(semver)
|
Credits
Donika Mirdita - Fraunhofer SIT, ATHENE
Haya Shulman - Fraunhofer SIT, ATHENE
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:03.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3616",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T19:18:52.761100Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T19:19:50.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Go"
],
"product": "OctoRPKI",
"repo": "https://github.com/cloudflare/cfrpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "\u003c1.4.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Donika Mirdita - Fraunhofer SIT, ATHENE "
},
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Haya Shulman - Fraunhofer SIT, ATHENE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAttackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to\u0026nbsp;Donika Mirdita and\u0026nbsp;Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to\u00a0Donika Mirdita and\u00a0Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-834",
"description": "CWE-834 Excessive Iteration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-29T08:43:36.139Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc"
}
],
"source": {
"advisory": "GHSA-pmw9-567p-68pc",
"discovery": "EXTERNAL"
},
"title": "OctoRPKI crash when maximum iterations number is reached",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2022-3616",
"datePublished": "2022-10-28T06:24:44.189Z",
"dateReserved": "2022-10-20T11:13:34.797Z",
"dateUpdated": "2025-05-05T19:19:50.911Z",
"requesterUserId": "25b7b156-39bf-4f6b-8c25-8bc69c5c5e82",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3912 (GCVE-0-2021-3912)
Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:41
VLAI?
Title
OctoRPKI crashes when processing GZIP bomb returned via malicious repository
Summary
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
Severity ?
4.2 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.0
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:14",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OctoRPKI crashes when processing GZIP bomb returned via malicious repository",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:54:00.000Z",
"ID": "CVE-2021-3912",
"STATE": "PUBLIC",
"TITLE": "OctoRPKI crashes when processing GZIP bomb returned via malicious repository"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3912",
"datePublished": "2021-11-11T21:45:24.415500Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-16T23:41:30.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3911 (GCVE-0-2021-3911)
Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-16 22:31
VLAI?
Title
Misconfigured IP address field in ROA leads to OctoRPKI crash
Summary
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
Severity ?
4.2 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.0
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:22",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Misconfigured IP address field in ROA leads to OctoRPKI crash",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:52:00.000Z",
"ID": "CVE-2021-3911",
"STATE": "PUBLIC",
"TITLE": "Misconfigured IP address field in ROA leads to OctoRPKI crash"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3911",
"datePublished": "2021-11-11T21:45:22.690851Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-16T22:31:10.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3910 (GCVE-0-2021-3910)
Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-17 03:27
VLAI?
Title
NUL character in ROA causes OctoRPKI to crash
Summary
OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).
Severity ?
4.4 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.0
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\\0) character)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:28",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NUL character in ROA causes OctoRPKI to crash",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:48:00.000Z",
"ID": "CVE-2021-3910",
"STATE": "PUBLIC",
"TITLE": "NUL character in ROA causes OctoRPKI to crash"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\\0) character)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3910",
"datePublished": "2021-11-11T21:45:21.177058Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-17T03:27:37.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3909 (GCVE-0-2021-3909)
Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:06
VLAI?
Title
Infinite open connection causes OctoRPKI to hang forever
Summary
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
Severity ?
4.4 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.0
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
},
{
"name": "DSA-5033",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:24",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
},
{
"name": "DSA-5033",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Infinite open connection causes OctoRPKI to hang forever",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:41:00.000Z",
"ID": "CVE-2021-3909",
"STATE": "PUBLIC",
"TITLE": "Infinite open connection causes OctoRPKI to hang forever"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
},
{
"name": "DSA-5033",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3909",
"datePublished": "2021-11-11T21:45:19.611444Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-16T23:06:15.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3908 (GCVE-0-2021-3908)
Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:21
VLAI?
Title
Infinite certificate chain depth results in OctoRPKI running forever
Summary
OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.
Severity ?
5.9 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.0
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:18",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Infinite certificate chain depth results in OctoRPKI running forever",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:28:00.000Z",
"ID": "CVE-2021-3908",
"STATE": "PUBLIC",
"TITLE": "Infinite certificate chain depth results in OctoRPKI running forever"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400 Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3908",
"datePublished": "2021-11-11T21:45:18.120994Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-16T23:21:31.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3907 (GCVE-0-2021-3907)
Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-17 03:18
VLAI?
Title
Arbitrary filepath traversal via URI injection
Summary
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
Severity ?
7.4 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.4.3
(custom)
|
Credits
Koen van Hove
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
},
{
"name": "DSA-5033",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Koen van Hove"
}
],
"datePublic": "2021-11-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OctoRPKI does not escape a URI with a filename containing \"..\", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-23T12:10:10",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
},
{
"name": "DSA-5033",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.4.3"
}
],
"source": {
"advisory": "GHSA-3jhm-87m6-x959",
"discovery": "EXTERNAL"
},
"title": "Arbitrary filepath traversal via URI injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-11-01T22:16:00.000Z",
"ID": "CVE-2021-3907",
"STATE": "PUBLIC",
"TITLE": "Arbitrary filepath traversal via URI injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.3"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Koen van Hove"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OctoRPKI does not escape a URI with a filename containing \"..\", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
},
{
"name": "DSA-5033",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-5033"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
},
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.4.3"
}
],
"source": {
"advisory": "GHSA-3jhm-87m6-x959",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3907",
"datePublished": "2021-11-11T21:45:16.585289Z",
"dateReserved": "2021-10-26T00:00:00",
"dateUpdated": "2024-09-17T03:18:30.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3761 (GCVE-0-2021-3761)
Vulnerability from cvelistv5 – Published: 2021-09-09 14:05 – Updated: 2024-09-17 02:56
VLAI?
Title
OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values
Summary
Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.
Severity ?
7.5 (High)
CWE
- Missing out of bounds check
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
unspecified , < 1.3.0
(custom)
|
Credits
Job Snijders
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:08.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "1.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Job Snijders"
}
],
"datePublic": "2021-09-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP \"MaxLength\" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as \"RPKI invalid\". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing out of bounds check",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T10:06:26",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
},
{
"name": "DSA-5041",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5041"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.3.0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cloudflare.com",
"DATE_PUBLIC": "2021-09-03T16:28:00.000Z",
"ID": "CVE-2021-3761",
"STATE": "PUBLIC",
"TITLE": "OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "octorpki",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.3.0"
}
]
}
}
]
},
"vendor_name": "Cloudflare"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Job Snijders"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP \"MaxLength\" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as \"RPKI invalid\". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing out of bounds check"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9",
"refsource": "MISC",
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
},
{
"name": "DSA-5041",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5041"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 1.3.0"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3761",
"datePublished": "2021-09-09T14:05:09.349774Z",
"dateReserved": "2021-09-01T00:00:00",
"dateUpdated": "2024-09-17T02:56:31.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}