| { |
| "schema_version": "1.4.0", |
| "id": "GHSA-g5gj-9ggf-9vmq", |
| "modified": "2021-11-10T18:18:55Z", |
| "published": "2021-11-10T20:38:53Z", |
| "aliases": [ |
| "CVE-2021-3908" |
| ], |
| "summary": "Infinite certificate chain depth results in OctoRPKI running forever", |
| "details": "OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.\n\n## Patches \n\n## For more information\nIf you have any questions or comments about this advisory email us at security@cloudflare.com \n", |
| "affected": [ |
| { |
| "package": { |
| "ecosystem": "Go", |
| "name": "github.com/cloudflare/cfrpki/cmd/octorpki" |
| }, |
| "ranges": [ |
| { |
| "type": "ECOSYSTEM", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.4.0" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "severity": [ |
| { |
| "type": "CVSS_V3", |
| "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" |
| } |
| ], |
| "references": [ |
| { |
| "type": "WEB", |
| "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq" |
| }, |
| { |
| "type": "ADVISORY", |
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3908" |
| }, |
| { |
| "type": "PACKAGE", |
| "url": "https://github.com/cloudflare/cfrpki" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://www.debian.org/security/2022/dsa-5041" |
| } |
| ], |
| "database_specific": { |
| "cwe_ids": [ |
| "CWE-400", |
| "CWE-835" |
| ], |
| "github_reviewed": true, |
| "github_reviewed_at": "2021-11-10T18:18:55Z", |
| "nvd_published_at": "2021-11-11T22:15:00Z", |
| "severity": "MODERATE" |
| } |
| } |
