| { |
| "schema_version": "1.4.0", |
| "id": "GHSA-g9wh-3vrx-r7hg", |
| "modified": "2021-11-10T18:19:37Z", |
| "published": "2021-11-10T20:39:23Z", |
| "aliases": [ |
| "CVE-2021-3912" |
| ], |
| "summary": "OctoRPKI crashes when processing GZIP bomb returned via malicious repository", |
| "details": "OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash). \n\n## Patches\n\n## For more information\nIf you have any questions or comments about this advisory email us at security@cloudflare.com\n\n", |
| "affected": [ |
| { |
| "package": { |
| "ecosystem": "Go", |
| "name": "github.com/cloudflare/cfrpki" |
| }, |
| "ranges": [ |
| { |
| "type": "ECOSYSTEM", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.4.0" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "severity": [ |
| { |
| "type": "CVSS_V3", |
| "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H" |
| } |
| ], |
| "references": [ |
| { |
| "type": "WEB", |
| "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg" |
| }, |
| { |
| "type": "ADVISORY", |
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3912" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacad" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://pkg.go.dev/vuln/GO-2022-0253" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://www.debian.org/security/2022/dsa-5041" |
| }, |
| { |
| "type": "PACKAGE", |
| "url": "github.com/cloudflare/cfrpki" |
| } |
| ], |
| "database_specific": { |
| "cwe_ids": [ |
| "CWE-400", |
| "CWE-770" |
| ], |
| "github_reviewed": true, |
| "github_reviewed_at": "2021-11-10T18:19:37Z", |
| "nvd_published_at": "2021-11-11T22:15:00Z", |
| "severity": "MODERATE" |
| } |
| } |
