CVE-2021-3912

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions OctoRPKI (affected versions not specified)

Description The issue allows an attacker to create a repository that can cause OctoRPKI to run out of memory and crash. This is possible because OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, it unzips it in memory. The HTTPFetcher.GetXML function reads a response of unlimited size into memory, permitting resource exhaustion.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

CVE-2021-3912

DSA-5041-1

GHSA-G9WH-3VRX-R7HG

GO-2022-0253

Affected Products

Octorpki

CVE-2021-3912

Weakness Enumeration

Related Identifiers

Affected Products

References · 19