Published: 11/11/2021 Updated: 01/02/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.

Vulnerable Product	Search on Vulmon	Subscribe to Product
cloudflare octorpki
debian debian linux 10.0
debian debian linux 11.0

Multiple vulnerabilities were discovered in Cloudflare's RPKI validator, which could result in denial of service or path traversal For the stable distribution (bullseye), these problems have been fixed in version 142-1~deb11u1 We recommend that you upgrade your cfrpki packages For the detailed security status of cfrpki please refer to its secu ...

Multiple vulnerabilities were discovered in the FORT RPKI validator, which could result in denial of service or path traversal For the stable distribution (bullseye), these problems have been fixed in version 153-1~deb11u1 We recommend that you upgrade your fort-validator packages For the detailed security status of fort-validator please refer ...

CWE-22 https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh https://www.debian.org/security/2021/dsa-5033 https://www.debian.org/security/2022/dsa-5041 https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3jhm-87m6-x959 https://nvd.nist.gov https://www.debian.org/security/2022/dsa-5041

CVE-2021-3907

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect