Nicmx Fort Validator vulnerabilities

CVE-2024-56375 [HIGH] CWE-191 CVE-2024-56375: An integer underflow was discovered in Fort 1.6.3 and 1.6.4 before 1.6.5. A malicious RPKI repositor An integer underflow was discovered in Fort 1.6.3 and 1.6.4 before 1.6.5. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a Manifest RPKI object containing an empty fileList. Fort dereferences (and, shortly afterwards, writes to) this array during a shuffle attempt, before the validation that would

CVE-2024-56169 [MEDIUM] CWE-354 CVE-2024-56169: A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI Relying Parties A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI Relying Parties (such as Fort) are supposed to maintain a backup cache of the remote RPKI data. This can be employed as a fallback in case a new fetch fails or yields incorrect files. However, the product currently uses its cache merely as a bandwidth saving tool (b

CVE-2024-45238 [HIGH] CWE-476 CVE-2024-45238: An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trus An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions

CVE-2024-45235 [HIGH] CWE-476 CVE-2024-45235: An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trus An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing an Authority Key Identifier extension that lacks the keyIdentifier field. Fort references this pointer without sanitizing it first. Because Fort is an RPKI Relying Party,