9 matches found
CVE-2021-3907
CVE-2021-3907 affects OctoRPKI: a URI containing a filename with ".." can cause a repository to write a file outside the base cache folder, potentially enabling remote code execution on the host running OctoRPKI. The connected documents indicate this is a path/traversal issue in the OctoRPKI impl...
CVE-2021-3912
CVE-2021-3912 affects OctoRPKI: it loads an entire repository into memory and can unzip a gzip bomb in memory, enabling resource exhaustion and a crash. The vulnerability is described consistently across multiple feeds as a memory/CPU exhaustion issue triggered by oversized input or crafted archi...
CVE-2021-3911
CVE-2021-3911 : In Cloudflare’s CFRPKI/OctoRPKI stack, a ROA response containing too many bits for the IP address can cause OctoRPKI to crash, i.e., an availability issue. The vulnerability is triggered when the ROA payload’s IP bit width exceeds expected limits, leading to a crash rather than a ...
CVE-2021-3761
CVE-2021-3761 affects Cloudflare’s RPKI validator (OctoRPKI) prior to 1.3.0, where any CA issuer can trigger an invalid VRP MaxLength value, causing RTR sessions to terminate. This can disable RPKI Origin Validation in a victim network and potentially enable a subsequent BGP hijack; RTR session f...
CVE-2021-3909
CVE-2021-3909 affects OctoRPKI: the vulnerable component does not bound connection length, enabling a slowloris-style DOS where the target repository keeps the HTTP connection open (up to about a day) while drip-feeding data. This can cause the OctoRPKI service to hang, impacting availability. Co...
CVE-2021-3910
CVE-2021-3910 concerns Cloudflare’s CFRpki/OctoRPKI where processing a repository ROA that is just a NUL character can cause a crash. Connected sources confirm this vulnerability in CFRpki/OctoRPKI (e.g., GO-2022-0251 and OSV/NVD copies) and note the issue arises from an invalid ROA payload. The ...
CVE-2021-3978
CVE-2021-3978 affects Cloudflare CFRPKI’s octorpki. The root cause is that copying files with rsync uses the “-a” flag 0, causing binaries with the SUID bit to be copied as root. The service definition defaults to root, creating a potential local privilege escalation vector if a malicious TAL fil...
CVE-2021-3908
CVE-2021-3908 affects Cloudflare’s CFRpki/OctoRPKI validator. The issue: an unlimited certificate-chain depth allows tree traversal to recurse indefinitely, potentially leading to denial of service or path traversal. Affected component: CFRpki/OctoRPKI (RPKI validator). Root cause: no limit on ce...
CVE-2022-3616
Affected software/area: OctoRPKI (github.com/cloudflare/cfrpki) in the octorpki command. Root cause / vulnerability detail: Attackers can construct long chains of Certificate Authorities (CAs) that exhaust the max iterations limit, causing OctoRPKI to crash and fail validation, resulting in a den...