ntpd has Dependency on Vulnerable Third-Party Component

2023-08-2422:18:39

CWE-1395

GitHub Advisory Database

github.com

ntpd

vulnerable

third-party component

man-in-the-middle

nts

key exchange

cpu usage

upgrade

rustls webpki

6.9 Medium

AI Score

Confidence

High

JSON

During startup, an attacker that can man-in-the-middle traffic to and from NTS key exchange servers can trigger a very expensive key validation process due to a vulnerability in webpki.

Impact

This vulnerability can lead to excessive cpu usage on startup on clients configured to use NTS

Patches

Affected users are recommended to upgrade to version 0.3.7

References

Affected configurations

Vulners

Node

ntpd_driver_projectntpd_driverRange<0.3.7

CPENameOperatorVersion
ntpdlt0.3.7

CPE	Name	Operator	Version
	ntpd	lt	0.3.7

References

github.com/advisories/GHSA-37xq-q42p-rv3p

github.com/pendulum-project/ntpd-rs/commit/927952a440176a18f3ded132eb831ae7f7ac5c00

github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-37xq-q42p-rv3p

github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md

6.9 Medium

AI Score

Confidence

High

JSON