CVE-2021-3909Uncontrolled Resource Consumption in Octorpki

CWE-400Uncontrolled Resource Consumption7 documents5 sources
Severity
7.5HIGHNVD
CNA4.4
EPSS
0.7%
top 27.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Cloudflare OctorpkiNicmx Fort-validatorGithub.com Cloudflare Cfrpki+1 more
Timeline
PublishedNov 11
Latest updateAug 21

Description

OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5cloudflare/octorpkiunspecified1.4.0
NVDcloudflare/octorpki< 1.3.0
Debiannicmx/fort-validator< 1.5.3-1~deb11u1+3

Also affects: Debian Linux 11.0

🔴Vulnerability Details

5
OSV
Infinite open connection causes OctoRPKI to hang forever in github.com/cloudflare/cfrpki2024-08-21
CVEList
Infinite open connection causes OctoRPKI to hang forever2021-11-11
OSV
CVE-2021-3909: OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever2021-11-11
OSV
Infinite open connection causes OctoRPKI to hang forever2021-11-10
GHSA
Infinite open connection causes OctoRPKI to hang forever2021-11-10

📋Vendor Advisories

1
Debian
CVE-2021-3909: cfrpki - OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS...2021
CVE-2021-3909 — Uncontrolled Resource Consumption | cvebase