Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0zN3hxLXE0MnAtcnYzcM4AA1fc

Low
Permalink JSON

ntpd has Dependency on Vulnerable Third-Party Component

Affected Packages Affected Versions Fixed Versions
cargo:ntpd < 0.3.7 0.3.7
0 Dependent packages
0 Dependent repositories
42,468 Downloads total

Affected Version Ranges

All affected versions

0.1.0, 0.1.1, 0.3.1, 0.3.2, 0.3.3, 0.3.5, 0.3.6

All unaffected versions

0.3.7, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1

During startup, an attacker that can man-in-the-middle traffic to and from NTS key exchange servers can trigger a very expensive key validation process due to a vulnerability in webpki.

Impact

This vulnerability can lead to excessive cpu usage on startup on clients configured to use NTS

Patches

Affected users are recommended to upgrade to version 0.3.7

References

See also https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md

References:

Identifiers

GHSA-37xq-q42p-rv3p

Risk

Severity

Low

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/pendulum-project/ntpd-rs

Date and time

Published

almost 2 years ago

Updated

about 1 year ago

API

JSON