Haynespls

**Name of the Vulnerable Software and Affected Versions** OctoRPKI (affected versions not specified) **Description** The issue arises from OctoRPKI not limiting the depth of a certificate chain, allowing a Certificate Authority (CA) to create children in an ad-hoc manner. This results in tree traversal never ending, causing OctoRPKI to run indefinitely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OctoRPKI (affected versions not specified) **Description** The issue allows an attacker to create a repository that can cause OctoRPKI to run out of memory and crash. This is possible because OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, it unzips it in memory. The `HTTPFetcher.GetXML` function reads a response of unlimited size into memory, permitting resource exhaustion. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OctoRPKI (affected versions not specified) **Description** The issue is related to the RPKI-validator in OctoRPKI, which lacks proper checking of returned data when generating ROA (Route Origin Authorisation) objects. If a repository returns an ROA with an IP address containing too many bits, OctoRPKI will crash. This could potentially allow a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OctoRPKI (affected versions not specified) **Description** The issue is related to the handling of invalid ROA (Route Origin Authorisation) objects by OctoRPKI. Specifically, when encountering a repository that returns an invalid ROA containing only an encoded NUL (`0`) character, OctoRPKI crashes. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.