Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13Nnd3LWZtZngtMngyMs0XHg
Misconfigured IP address field in ROA leads to OctoRPKI crash
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
Patches
For more information
If you have any questions or comments about this advisory email us at [email protected]
Permalink: https://github.com/advisories/GHSA-w6ww-fmfx-2x22JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13Nnd3LWZtZngtMngyMs0XHg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 4.2
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-w6ww-fmfx-2x22, CVE-2021-3911
References:
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22
- https://nvd.nist.gov/vuln/detail/CVE-2021-3911
- https://www.debian.org/security/2022/dsa-5041
- https://github.com/cloudflare/cfrpki/commit/2882307febd66801de97b2a2ce4d93fe58132005
- https://pkg.go.dev/vuln/GO-2022-0252
- https://github.com/advisories/GHSA-w6ww-fmfx-2x22
Blast Radius: 0.0
Affected Packages
go:github.com/cloudflare/cfrpki
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.4.0
Fixed in: 1.4.0
All affected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.3.0
All unaffected versions: 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10