Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04Y3ZyLTRycmYtZjI0NM0XIQ
Infinite open connection causes OctoRPKI to hang forever
OctoRPKI (github.com/cloudflare/cfrpki/cmd/octorpki) does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
Patches
For more information
If you have any questions or comments about this advisory email us at [email protected]
Permalink: https://github.com/advisories/GHSA-8cvr-4rrf-f244JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04Y3ZyLTRycmYtZjI0NM0XIQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: about 1 year ago
CVSS Score: 4.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-8cvr-4rrf-f244, CVE-2021-3909
References:
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244
- https://nvd.nist.gov/vuln/detail/CVE-2021-3909
- https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0
- https://www.debian.org/security/2021/dsa-5033
- https://www.debian.org/security/2022/dsa-5041
- https://github.com/advisories/GHSA-8cvr-4rrf-f244
Blast Radius: 0.0
Affected Packages
go:github.com/cloudflare/cfrpki
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.4.0
Fixed in: 1.4.0
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.3.0
All unaffected versions: 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10