Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE3NmotNThjeC13cDV2
Vulnerability in RPKI manifest validation
A vulnerability in RPKI manifest validation exists when objects on the manifest are hidden, or expired objects are replayed. An attacker successfully exploiting this vulnerability could prevent new ROAs from being received or selectively hide ROAs, causing routes to become INVALID.
To exploit this vulnerability, an attacker would need to perform a man in the middle attack on the TLS connection between the validator and an RRDP repository or perform a man in the middle attack against a rsync-only repository.
The update addresses the vulnerability by implementing validation methods from RFC 6486bis and enabling strict validation by default.
Permalink: https://github.com/advisories/GHSA-q76j-58cx-wp5vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE3NmotNThjeC13cDV2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-q76j-58cx-wp5v
References:
- https://github.com/RIPE-NCC/rpki-validator-3/security/advisories/GHSA-q76j-58cx-wp5v
- https://github.com/advisories/GHSA-q76j-58cx-wp5v
Blast Radius: 1.0
Affected Packages
maven:net.ripe.rpki:rpki-validator-3
Affected Version Ranges: <= 3.2-2020.10.28.22.25Fixed in: 3.2-2020.10.28.23.06