GHSA-pmw9-567p-68pc

Suggest an improvement
Source
https://github.com/advisories/GHSA-pmw9-567p-68pc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-pmw9-567p-68pc/GHSA-pmw9-567p-68pc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-pmw9-567p-68pc
Aliases
Published
2022-10-31T18:45:43Z
Modified
2024-08-21T16:29:01.714910Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H CVSS Calculator
Summary
OctoRPKI crashes when max iterations is reached
Details

Impact

Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.

Specific Go Packages Affected

github.com/cloudflare/cfrpki/cmd/octorpki

Patches

This issue is fixed in v1.4.4

Workarounds

None.

Database specific 
{
    "nvd_published_at": "2022-10-28T07:15:00Z",
    "cwe_ids": [
        "CWE-754",
        "CWE-834"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-31T18:45:43Z"
}
References

Affected packages

Go / github.com/cloudflare/cfrpki

Package

Name
github.com/cloudflare/cfrpki
View open source insights on deps.dev
Purl
pkg:golang/github.com/cloudflare/cfrpki

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.4

Database specific 

{
    "last_known_affected_version_range": "<= 1.4.3"
}