github.com/cloudflare/cfrpki
Go8 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/cloudflare/cfrpkipage 1 of 1
- CVE-2021-3761HIGHCVSS 7.5EG 7.5✓ Fixed in 1.3.02021-09-09
Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 1…
- CVE-2021-3907HIGHCVSS 7.4EG 7.4✓ Fixed in 1.4.42021-11-11
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. Thi…
- CVE-2021-3908MEDIUMCVSS 5.9EG 5.9✓ Fixed in 1.4.02021-11-11
OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.
- CVE-2021-3909MEDIUMCVSS 4.4EG 4.4✓ Fixed in 1.4.02021-11-11
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a …
- CVE-2021-3910MEDIUMCVSS 4.4EG 4.4✓ Fixed in 1.4.02021-11-11
OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).
- CVE-2021-3911MEDIUMCVSS 4.2EG 4.2✓ Fixed in 1.4.02021-11-11
If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
- CVE-2021-3912MEDIUMCVSS 4.2EG 4.2✓ Fixed in 1.4.02021-11-11
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
- CVE-2022-3616MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.4.42022-10-28
Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service.…
Check whether github.com/cloudflare/cfrpki is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/cloudflare/cfrpki CVEs against the assets you own.
Start Free Scan →