CVE-2021-43172Uncontrolled Recursion in Routinator

CWE-674Uncontrolled RecursionCWE-835Infinite Loop6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 32.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nlnetlabs RoutinatorNlnet Labs Routinator
Timeline
PublishedNov 9
Latest updateMay 24

Description

NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run. In RPKI, a CA can choose the RRDP repository it wishes to publish its data in. By continuously generating a new child CA that only consists of another CA using a different RRDP repository, a malicious CA can create a chain of CAs of de-facto infinite length. Routinator prior to version 0.10.2 did not contain a limit on the length of such a chain and

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDnlnetlabs/routinator< 0.10.2
crates.ionlnet_labs/routinator< 0.10.2
CVEListV5nlnet_labs/routinatorunspecified0.10.1

🔴Vulnerability Details

4
GHSA
Routinator infinite loop vulnerability2022-05-24
OSV
Routinator infinite loop vulnerability2022-05-24
CVEList
Infinite length chain of RRDP repositories2021-11-09
OSV
CVE-2021-43172: NLnet Labs Routinator prior to 02021-11-09

📋Vendor Advisories

1
Debian
CVE-2021-43172: rpki-client - NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP reposito...2021
CVE-2021-43172 — Uncontrolled Recursion in Routinator | cvebase