CVE-2022-3029 — Improper Handling of Unexpected Data Type in Labs Routinator

CWE-241 — Improper Handling of Unexpected Data Type CWE-617 — Reachable Assertion5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nlnet Labs Routinator Nlnetlabs Routinator

Timeline

PublishedSep 13

Latest updateDec 4

Description

In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error and causes Routinator to exit. Worst case impact of this vulnerability is denial of service for the RPKI data that Routinator provides to routers. This may stop your network from validating route origins based on RPKI data. This vulnerability does not allow an attacker to manipulate RPKI data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶crates.ionlnet_labs/routinator0.9.0 — 0.11.3

▶NVDnlnetlabs/routinator0.9.0 — 0.11.2

▶CVEListV5nlnet_labs/routinatorunspecified — 0.11.2

🔴Vulnerability Details

OSV

NLnet Labs Routinator has Reachable Assertion vulnerability↗2022-09-14

▶

GHSA

NLnet Labs Routinator has Reachable Assertion vulnerability↗2022-09-14

▶

CVEList

Fatal error on incorrect base64 data in RRDP↗2022-09-13

▶

📄Research Papers

arXiv

The CURE To Vulnerabilities in RPKI Validation↗2023-12-04

▶