CVE-2024-45238NULL Pointer Dereference in Fort Validator

CWE-476NULL Pointer Dereference7 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.8%
top 26.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nicmx Fort-validatorNicmx Fort Validator
Timeline
PublishedAug 24
Latest updateOct 8

Description

An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailabili

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Debiannicmx/fort-validator< 1.5.3-1~deb11u2+3
Ubuntunicmx/fort-validator< 1.5.3-1ubuntu0.1+2

🔴Vulnerability Details

4
OSV
fort-validator vulnerabilities2025-10-08
GHSA
GHSA-5mgq-44p6-x2pr: An issue was discovered in Fort before 12024-08-25
CVEList
CVE-2024-45238: An issue was discovered in Fort before 12024-08-24
OSV
CVE-2024-45238: An issue was discovered in Fort before 12024-08-24

📋Vendor Advisories

2
Ubuntu
FORT Validator vulnerabilities2025-10-08
Debian
CVE-2024-45238: fort-validator - An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that d...2024
CVE-2024-45238 — NULL Pointer Dereference | cvebase