CVE-2023-39915Improper Handling of Syntactically Invalid Structure in Labs Routinator

CWE-228Improper Handling of Syntactically Invalid StructureCWE-232Improper Handling of Undefined ValuesCWE-240Improper Handling of Inconsistent Structural Elements4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 42.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nlnet Labs RoutinatorNlnetlabs Routinator
Timeline
PublishedSep 13
Latest updateDec 4

Description

NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDnlnetlabs/routinator< 0.12.2
CVEListV5nlnet_labs/routinator*0.12.2

🔴Vulnerability Details

2
GHSA
GHSA-xhpp-8gq6-3hf5: NLnet Labs’ Routinator up to and including version 02023-09-13
CVEList
Crashes on parsing certain invalid RPKI objects2023-09-13

📄Research Papers

1
arXiv
The CURE To Vulnerabilities in RPKI Validation2023-12-04
CVE-2023-39915 — Nlnet Labs Routinator vulnerability | cvebase