CVE-2021-43173Improper Handling of Exceptional Conditions in Routinator

CWE-755Improper Handling of Exceptional ConditionsCWE-400Uncontrolled Resource Consumption5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 36.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Nicmx Fort-validatorNlnetlabs RoutinatorNlnet Labs Routinator+1 more
Timeline
PublishedNov 9
Latest updateMay 24

Description

In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. This can be used to effectively stall validation. While Routinator has a configurable time-out value for RRDP connections, this time-out was only applied to individual read or write operations rather than the complete request. Thus, if an RRDP repository sends a little bit of data before that time-out expired, i

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDnlnetlabs/routinator< 0.10.2
CVEListV5nlnet_labs/routinatorunspecified0.10.1
Debiannicmx/fort-validator< 1.5.3-1~deb11u1+3

Also affects: Debian Linux 11.0

🔴Vulnerability Details

3
GHSA
GHSA-pgwq-8wjv-xhhr: In NLnet Labs Routinator prior to 02022-05-24
CVEList
Hanging RRDP request2021-11-09
OSV
CVE-2021-43173: In NLnet Labs Routinator prior to 02021-11-09

📋Vendor Advisories

1
Debian
CVE-2021-43173: cfrpki - In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed signif...2021
CVE-2021-43173 — Nlnetlabs Routinator vulnerability | cvebase