blob: 168f628c3bd12260243ac0e2810fa89cafeec0cc [file] [log] [blame]
id: GO-TEST-ID
modules:
- module: github.com/cloudflare/cfrpki
versions:
- fixed: 1.4.0
vulnerable_at: 1.3.0
summary: OctoRPKI crashes when processing GZIP bomb returned via malicious repository
description: |-
OctoRPKI tries to load the entire contents of a repository in memory, and in the
case of a GZIP bomb, unzip it in memory, making it possible to create a
repository that makes OctoRPKI run out of memory (and thus crash).
## Patches
## For more information If you have any questions or comments about this
advisory email us at security@cloudflare.com
cves:
- CVE-2021-3912
ghsas:
- GHSA-g9wh-3vrx-r7hg
references:
- advisory: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3912
- fix: https://github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacad
- web: https://www.debian.org/security/2022/dsa-5041
notes:
- lint: 'description: possible markdown formatting (found ## )'
- lint: 'references: too many advisories (found 2, want <=1)'
- lint: 'summary: must contain an affected module or package path (e.g. "github.com/cloudflare/cfrpki")'