Lucene search

CloudflareCVE-2023-3036

HistoryJun 14, 2023 - 12:15 p.m.

CVE-2023-3036

2023-06-1412:15:09

CWE-119

CWE-125

cloudflare

web.nvd.nist.gov

cve-2023-3036

ntp server

github

cloudflare

ntsauthenticator

remote attack

panic

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

AI Score

7.4

Confidence

High

EPSS

0.002

Percentile

52.5%

JSON

An unchecked read in NTP server in github.com/cloudflare/cfnts prior to commit 783490b https://github.com/cloudflare/cfnts/commit/783490b913f05e508a492cd7b02e3c4ec2297b71 enabled a remote attacker to trigger a panic by sending an NTSAuthenticator packet with extension length longer than the packet contents.

Affected configurations

Nvd

Node

cloudflarecfntsRange<2023-06-01rust

VendorProductVersionCPE
cloudflarecfnts*cpe:2.3:a:cloudflare:cfnts:*:*:*:*:*:rust:*:*

Vendor	Product	Version	CPE
cloudflare	cfnts	*	cpe:2.3:a:cloudflare:cfnts::::::rust::*

CNA Affected

[
  {
    "collectionURL": "https://github.com",
    "defaultStatus": "unaffected",
    "packageName": "cfnts",
    "platforms": [
      "rust"
    ],
    "product": "cfnts",
    "vendor": "Cloudflare",
    "versions": [
      {
        "lessThan": "< 783490b",
        "status": "affected",
        "version": "0",
        "versionType": "git"
      }
    ]
  }
]

References

github.com/cloudflare/cfnts/security/advisories/GHSA-pwx6-gw47-96cp

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

AI Score

7.4

Confidence

High

EPSS

0.002

Percentile

52.5%

JSON

Related for CVE-2023-3036