CVE-2022-3616 – github.com/cloudflare/cfrpki

Package

Manager: go
Name: github.com/cloudflare/cfrpki
Vulnerable Version: >=0 <1.4.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00092 pctl0.26797

Details

OctoRPKI crashes when max iterations is reached ### Impact Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability. ### Specific Go Packages Affected github.com/cloudflare/cfrpki/cmd/octorpki ### Patches This issue is fixed in v1.4.4 ### Workarounds None.

Metadata

Created: 2022-10-31T18:45:43Z
Modified: 2023-10-02T11:15:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-pmw9-567p-68pc/GHSA-pmw9-567p-68pc.json
CWE IDs: ["CWE-754", "CWE-834"]
Alternative ID: GHSA-pmw9-567p-68pc
Finding: F002
Auto approve: 1