CVE-2021-3912 — Uncontrolled Resource Consumption in Octorpki

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling7 documents5 sources

Severity

6.5MEDIUMNVD

CNA4.2

EPSS

0.6%

top 31.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cloudflare Octorpki Github.com Cloudflare Cfrpki Debian Linux

Timeline

PublishedNov 11

Latest updateJul 15

Description

OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5cloudflare/octorpkiunspecified — 1.4.0

▶NVDcloudflare/octorpki< 1.3.0

▶Gogithub.com/cloudflare_cfrpki< 1.4.0

Also affects: Debian Linux 11.0

🔴Vulnerability Details

OSV

Resource exhaustion via GZIP bomb in github.com/cloudflare/cfrpki↗2022-07-15

▶

OSV

CVE-2021-3912: OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create↗2021-11-11

▶

CVEList

OctoRPKI crashes when processing GZIP bomb returned via malicious repository↗2021-11-11

▶

GHSA

OctoRPKI crashes when processing GZIP bomb returned via malicious repository↗2021-11-10

▶

OSV

OctoRPKI crashes when processing GZIP bomb returned via malicious repository↗2021-11-10

▶

📋Vendor Advisories

Debian

CVE-2021-3912: cfrpki - OctoRPKI tries to load the entire contents of a repository in memory, and in the...↗2021

▶