Search

Find a vulnerability

Search criteria

    18 vulnerabilities found for octorpki by cloudflare

    CVE-2021-3978 (GCVE-0-2021-3978)

    Vulnerability from nvd – Published: 2025-01-29 10:00 – Updated: 2025-02-12 16:03
    VLAI
    Title
    Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki
    Summary
    When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: 0 , < v1.4.2 (semver)
    Create a notification for this product.
    Credits
    Ties de Kock
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-3978",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-29T14:19:06.799392Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T16:03:40.405Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/cloudflare/cfrpki/cmd/octorpki",
              "defaultStatus": "unaffected",
              "packageName": "octorpki",
              "platforms": [
                "Go"
              ],
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "v1.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ties de Kock"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service\"\u003ehttps://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service\u003c/a\u003e) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."
                }
              ],
              "value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-29T10:00:53.237Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85"
            }
          ],
          "source": {
            "advisory": "GHSA-3pqh-p72c-fj85",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3978",
        "datePublished": "2025-01-29T10:00:53.237Z",
        "dateReserved": "2021-11-18T20:10:42.977Z",
        "dateUpdated": "2025-02-12T16:03:40.405Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3616 (GCVE-0-2022-3616)

    Vulnerability from nvd – Published: 2022-10-28 06:24 – Updated: 2025-05-05 19:19
    VLAI
    Title
    OctoRPKI crash when maximum iterations number is reached
    Summary
    Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-754 - Improper Check for Unusual or Exceptional Conditions
    • CWE-834 - Excessive Iteration
    Assigner
    Impacted products
    Vendor Product Version
    Cloudflare OctoRPKI Affected: 0 , < <1.4.4 (semver)
    Create a notification for this product.
    Credits
    Donika Mirdita - Fraunhofer SIT, ATHENE Haya Shulman - Fraunhofer SIT, ATHENE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:14:03.299Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-3616",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-05T19:18:52.761100Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-05T19:19:50.911Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Go"
              ],
              "product": "OctoRPKI",
              "repo": "https://github.com/cloudflare/cfrpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "\u003c1.4.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Donika Mirdita - Fraunhofer SIT, ATHENE "
            },
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Haya Shulman - Fraunhofer SIT, ATHENE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAttackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to\u0026nbsp;Donika Mirdita and\u0026nbsp;Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to\u00a0Donika Mirdita and\u00a0Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-153 Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-754",
                  "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-834",
                  "description": "CWE-834 Excessive Iteration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-29T08:43:36.139Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc"
            }
          ],
          "source": {
            "advisory": "GHSA-pmw9-567p-68pc",
            "discovery": "EXTERNAL"
          },
          "title": "OctoRPKI crash when maximum iterations number is reached",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2022-3616",
        "datePublished": "2022-10-28T06:24:44.189Z",
        "dateReserved": "2022-10-20T11:13:34.797Z",
        "dateUpdated": "2025-05-05T19:19:50.911Z",
        "requesterUserId": "25b7b156-39bf-4f6b-8c25-8bc69c5c5e82",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3912 (GCVE-0-2021-3912)

    Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:41
    VLAI
    Title
    OctoRPKI crashes when processing GZIP bomb returned via malicious repository
    Summary
    OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.0 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.616Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:14.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "OctoRPKI crashes when processing GZIP bomb returned via malicious repository",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:54:00.000Z",
              "ID": "CVE-2021-3912",
              "STATE": "PUBLIC",
              "TITLE": "OctoRPKI crashes when processing GZIP bomb returned via malicious repository"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash)."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3912",
        "datePublished": "2021-11-11T21:45:24.415Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:41:30.954Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3911 (GCVE-0-2021-3911)

    Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-16 22:31
    VLAI
    Title
    Misconfigured IP address field in ROA leads to OctoRPKI crash
    Summary
    If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.0 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.604Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:22.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Misconfigured IP address field in ROA leads to OctoRPKI crash",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:52:00.000Z",
              "ID": "CVE-2021-3911",
              "STATE": "PUBLIC",
              "TITLE": "Misconfigured IP address field in ROA leads to OctoRPKI crash"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3911",
        "datePublished": "2021-11-11T21:45:22.690Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:31:10.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3910 (GCVE-0-2021-3910)

    Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-17 03:27
    VLAI
    Title
    NUL character in ROA causes OctoRPKI to crash
    Summary
    OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.0 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.697Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\\0) character)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:28.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "NUL character in ROA causes OctoRPKI to crash",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:48:00.000Z",
              "ID": "CVE-2021-3910",
              "STATE": "PUBLIC",
              "TITLE": "NUL character in ROA causes OctoRPKI to crash"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\\0) character)."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3910",
        "datePublished": "2021-11-11T21:45:21.177Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:27:37.742Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3909 (GCVE-0-2021-3909)

    Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:06
    VLAI
    Title
    Infinite open connection causes OctoRPKI to hang forever
    Summary
    OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://github.com/cloudflare/cfrpki/security/adv… x_refsource_MISC
    https://www.debian.org/security/2021/dsa-5033 vendor-advisoryx_refsource_DEBIAN
    https://www.debian.org/security/2022/dsa-5041 vendor-advisoryx_refsource_DEBIAN
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.0 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.584Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
              },
              {
                "name": "DSA-5033",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2021/dsa-5033"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:24.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
            },
            {
              "name": "DSA-5033",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2021/dsa-5033"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Infinite open connection causes OctoRPKI to hang forever",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:41:00.000Z",
              "ID": "CVE-2021-3909",
              "STATE": "PUBLIC",
              "TITLE": "Infinite open connection causes OctoRPKI to hang forever"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
                },
                {
                  "name": "DSA-5033",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2021/dsa-5033"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3909",
        "datePublished": "2021-11-11T21:45:19.611Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:06:15.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3908 (GCVE-0-2021-3908)

    Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:21
    VLAI
    Title
    Infinite certificate chain depth results in OctoRPKI running forever
    Summary
    OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.0 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.610Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:18.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Infinite certificate chain depth results in OctoRPKI running forever",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:28:00.000Z",
              "ID": "CVE-2021-3908",
              "STATE": "PUBLIC",
              "TITLE": "Infinite certificate chain depth results in OctoRPKI running forever"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3908",
        "datePublished": "2021-11-11T21:45:18.120Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:21:31.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3907 (GCVE-0-2021-3907)

    Vulnerability from nvd – Published: 2021-11-11 21:45 – Updated: 2024-09-17 03:18
    VLAI
    Title
    Arbitrary filepath traversal via URI injection
    Summary
    OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.3 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.668Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
              },
              {
                "name": "DSA-5033",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2021/dsa-5033"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OctoRPKI does not escape a URI with a filename containing \"..\", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-23T12:10:10.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
            },
            {
              "name": "DSA-5033",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2021/dsa-5033"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4.3"
            }
          ],
          "source": {
            "advisory": "GHSA-3jhm-87m6-x959",
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary filepath traversal via URI injection",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:16:00.000Z",
              "ID": "CVE-2021-3907",
              "STATE": "PUBLIC",
              "TITLE": "Arbitrary filepath traversal via URI injection"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OctoRPKI does not escape a URI with a filename containing \"..\", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
                },
                {
                  "name": "DSA-5033",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2021/dsa-5033"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                },
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4.3"
              }
            ],
            "source": {
              "advisory": "GHSA-3jhm-87m6-x959",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3907",
        "datePublished": "2021-11-11T21:45:16.585Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:18:30.852Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3761 (GCVE-0-2021-3761)

    Vulnerability from nvd – Published: 2021-09-09 14:05 – Updated: 2024-09-17 02:56
    VLAI
    Title
    OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values
    Summary
    Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.
    CWE
    • Missing out of bounds check
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.3.0 (custom)
    Create a notification for this product.
    Date Public
    2021-09-03 00:00
    Credits
    Job Snijders
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:08.491Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Job Snijders"
            }
          ],
          "datePublic": "2021-09-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP \"MaxLength\" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as \"RPKI invalid\". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing out of bounds check",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:26.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.3.0"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-09-03T16:28:00.000Z",
              "ID": "CVE-2021-3761",
              "STATE": "PUBLIC",
              "TITLE": "OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Job Snijders"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP \"MaxLength\" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as \"RPKI invalid\". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing out of bounds check"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.3.0"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3761",
        "datePublished": "2021-09-09T14:05:09.349Z",
        "dateReserved": "2021-09-01T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:56:31.062Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3978 (GCVE-0-2021-3978)

    Vulnerability from cvelistv5 – Published: 2025-01-29 10:00 – Updated: 2025-02-12 16:03
    VLAI
    Title
    Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki
    Summary
    When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: 0 , < v1.4.2 (semver)
    Create a notification for this product.
    Credits
    Ties de Kock
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-3978",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-29T14:19:06.799392Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T16:03:40.405Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/cloudflare/cfrpki/cmd/octorpki",
              "defaultStatus": "unaffected",
              "packageName": "octorpki",
              "platforms": [
                "Go"
              ],
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "v1.4.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ties de Kock"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service\"\u003ehttps://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service\u003c/a\u003e) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."
                }
              ],
              "value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-29T10:00:53.237Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85"
            }
          ],
          "source": {
            "advisory": "GHSA-3pqh-p72c-fj85",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3978",
        "datePublished": "2025-01-29T10:00:53.237Z",
        "dateReserved": "2021-11-18T20:10:42.977Z",
        "dateUpdated": "2025-02-12T16:03:40.405Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-3616 (GCVE-0-2022-3616)

    Vulnerability from cvelistv5 – Published: 2022-10-28 06:24 – Updated: 2025-05-05 19:19
    VLAI
    Title
    OctoRPKI crash when maximum iterations number is reached
    Summary
    Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-754 - Improper Check for Unusual or Exceptional Conditions
    • CWE-834 - Excessive Iteration
    Assigner
    Impacted products
    Vendor Product Version
    Cloudflare OctoRPKI Affected: 0 , < <1.4.4 (semver)
    Create a notification for this product.
    Credits
    Donika Mirdita - Fraunhofer SIT, ATHENE Haya Shulman - Fraunhofer SIT, ATHENE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T01:14:03.299Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-3616",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-05T19:18:52.761100Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-05T19:19:50.911Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Go"
              ],
              "product": "OctoRPKI",
              "repo": "https://github.com/cloudflare/cfrpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "\u003c1.4.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Donika Mirdita - Fraunhofer SIT, ATHENE "
            },
            {
              "lang": "en",
              "type": "reporter",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Haya Shulman - Fraunhofer SIT, ATHENE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAttackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to\u0026nbsp;Donika Mirdita and\u0026nbsp;Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to\u00a0Donika Mirdita and\u00a0Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-153 Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-754",
                  "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-834",
                  "description": "CWE-834 Excessive Iteration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-29T08:43:36.139Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc"
            }
          ],
          "source": {
            "advisory": "GHSA-pmw9-567p-68pc",
            "discovery": "EXTERNAL"
          },
          "title": "OctoRPKI crash when maximum iterations number is reached",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2022-3616",
        "datePublished": "2022-10-28T06:24:44.189Z",
        "dateReserved": "2022-10-20T11:13:34.797Z",
        "dateUpdated": "2025-05-05T19:19:50.911Z",
        "requesterUserId": "25b7b156-39bf-4f6b-8c25-8bc69c5c5e82",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3912 (GCVE-0-2021-3912)

    Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:41
    VLAI
    Title
    OctoRPKI crashes when processing GZIP bomb returned via malicious repository
    Summary
    OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.0 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.616Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:14.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "OctoRPKI crashes when processing GZIP bomb returned via malicious repository",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:54:00.000Z",
              "ID": "CVE-2021-3912",
              "STATE": "PUBLIC",
              "TITLE": "OctoRPKI crashes when processing GZIP bomb returned via malicious repository"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash)."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3912",
        "datePublished": "2021-11-11T21:45:24.415Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:41:30.954Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3911 (GCVE-0-2021-3911)

    Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-16 22:31
    VLAI
    Title
    Misconfigured IP address field in ROA leads to OctoRPKI crash
    Summary
    If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.0 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.604Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:22.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Misconfigured IP address field in ROA leads to OctoRPKI crash",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:52:00.000Z",
              "ID": "CVE-2021-3911",
              "STATE": "PUBLIC",
              "TITLE": "Misconfigured IP address field in ROA leads to OctoRPKI crash"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3911",
        "datePublished": "2021-11-11T21:45:22.690Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:31:10.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3910 (GCVE-0-2021-3910)

    Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-17 03:27
    VLAI
    Title
    NUL character in ROA causes OctoRPKI to crash
    Summary
    OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.0 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.697Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\\0) character)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:28.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "NUL character in ROA causes OctoRPKI to crash",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:48:00.000Z",
              "ID": "CVE-2021-3910",
              "STATE": "PUBLIC",
              "TITLE": "NUL character in ROA causes OctoRPKI to crash"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\\0) character)."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3910",
        "datePublished": "2021-11-11T21:45:21.177Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:27:37.742Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3909 (GCVE-0-2021-3909)

    Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:06
    VLAI
    Title
    Infinite open connection causes OctoRPKI to hang forever
    Summary
    OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    URL Tags
    https://github.com/cloudflare/cfrpki/security/adv… x_refsource_MISC
    https://www.debian.org/security/2021/dsa-5033 vendor-advisoryx_refsource_DEBIAN
    https://www.debian.org/security/2022/dsa-5041 vendor-advisoryx_refsource_DEBIAN
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.0 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.584Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
              },
              {
                "name": "DSA-5033",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2021/dsa-5033"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:24.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
            },
            {
              "name": "DSA-5033",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2021/dsa-5033"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Infinite open connection causes OctoRPKI to hang forever",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:41:00.000Z",
              "ID": "CVE-2021-3909",
              "STATE": "PUBLIC",
              "TITLE": "Infinite open connection causes OctoRPKI to hang forever"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
                },
                {
                  "name": "DSA-5033",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2021/dsa-5033"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3909",
        "datePublished": "2021-11-11T21:45:19.611Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:06:15.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3908 (GCVE-0-2021-3908)

    Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-16 23:21
    VLAI
    Title
    Infinite certificate chain depth results in OctoRPKI running forever
    Summary
    OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.0 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.610Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:18.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Infinite certificate chain depth results in OctoRPKI running forever",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:28:00.000Z",
              "ID": "CVE-2021-3908",
              "STATE": "PUBLIC",
              "TITLE": "Infinite certificate chain depth results in OctoRPKI running forever"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400 Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3908",
        "datePublished": "2021-11-11T21:45:18.120Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:21:31.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3907 (GCVE-0-2021-3907)

    Vulnerability from cvelistv5 – Published: 2021-11-11 21:45 – Updated: 2024-09-17 03:18
    VLAI
    Title
    Arbitrary filepath traversal via URI injection
    Summary
    OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.4.3 (custom)
    Create a notification for this product.
    Date Public
    2021-11-01 00:00
    Credits
    Koen van Hove
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.668Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
              },
              {
                "name": "DSA-5033",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2021/dsa-5033"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.4.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Koen van Hove"
            }
          ],
          "datePublic": "2021-11-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OctoRPKI does not escape a URI with a filename containing \"..\", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-23T12:10:10.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
            },
            {
              "name": "DSA-5033",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2021/dsa-5033"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.4.3"
            }
          ],
          "source": {
            "advisory": "GHSA-3jhm-87m6-x959",
            "discovery": "EXTERNAL"
          },
          "title": "Arbitrary filepath traversal via URI injection",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-11-01T22:16:00.000Z",
              "ID": "CVE-2021-3907",
              "STATE": "PUBLIC",
              "TITLE": "Arbitrary filepath traversal via URI injection"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Koen van Hove"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OctoRPKI does not escape a URI with a filename containing \"..\", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
                },
                {
                  "name": "DSA-5033",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2021/dsa-5033"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                },
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.4.3"
              }
            ],
            "source": {
              "advisory": "GHSA-3jhm-87m6-x959",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3907",
        "datePublished": "2021-11-11T21:45:16.585Z",
        "dateReserved": "2021-10-26T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:18:30.852Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3761 (GCVE-0-2021-3761)

    Vulnerability from cvelistv5 – Published: 2021-09-09 14:05 – Updated: 2024-09-17 02:56
    VLAI
    Title
    OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values
    Summary
    Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.
    CWE
    • Missing out of bounds check
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloudflare octorpki Affected: unspecified , < 1.3.0 (custom)
    Create a notification for this product.
    Date Public
    2021-09-03 00:00
    Credits
    Job Snijders
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:08.491Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
              },
              {
                "name": "DSA-5041",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2022/dsa-5041"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "octorpki",
              "vendor": "Cloudflare",
              "versions": [
                {
                  "lessThan": "1.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Job Snijders"
            }
          ],
          "datePublic": "2021-09-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP \"MaxLength\" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as \"RPKI invalid\". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing out of bounds check",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-12T10:06:26.000Z",
            "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
            "shortName": "cloudflare"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
            },
            {
              "name": "DSA-5041",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5041"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade to 1.3.0"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@cloudflare.com",
              "DATE_PUBLIC": "2021-09-03T16:28:00.000Z",
              "ID": "CVE-2021-3761",
              "STATE": "PUBLIC",
              "TITLE": "OctoRPKI lacks contextual out-of-bounds check when validating RPKI ROA maxLength values"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "octorpki",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloudflare"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Job Snijders"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP \"MaxLength\" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as \"RPKI invalid\". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing out of bounds check"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9",
                  "refsource": "MISC",
                  "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9"
                },
                {
                  "name": "DSA-5041",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2022/dsa-5041"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Upgrade to 1.3.0"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "assignerShortName": "cloudflare",
        "cveId": "CVE-2021-3761",
        "datePublished": "2021-09-09T14:05:09.349Z",
        "dateReserved": "2021-09-01T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:56:31.062Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }