Lucene search

Ubuntu.comUB:CVE-2022-3616

HistoryOct 28, 2022 - 12:00 a.m.

CVE-2022-3616

2022-10-2800:00:00

ubuntu.com

cve-2022-3616

octorpki

denial of service

excessive ca chain

vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

Attackers can create long chains of CAs that would lead to OctoRPKI
exceeding its max iterations parameter. In consequence it would cause the
program to crash, preventing it from finishing the validation and leading
to a denial of service. Credits to Donika Mirdita and Haya Shulman -
Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.

OSVersionArchitecturePackageVersionFilename
ubuntu22.04noarchcfrpki< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	22.04	noarch	cfrpki	< any	UNKNOWN

References

github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc

launchpad.net/bugs/cve/CVE-2022-3616

nvd.nist.gov/vuln/detail/CVE-2022-3616

security-tracker.debian.org/tracker/CVE-2022-3616

www.cve.org/CVERecord?id=CVE-2022-3616

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

Related for UB:CVE-2022-3616