| id: GO-TEST-ID |
| modules: |
| - module: github.com/cloudflare/cfrpki |
| versions: |
| - fixed: 1.4.0 |
| vulnerable_at: 1.3.0 |
| packages: |
| - package: github.com/cloudflare/cfrpki/cmd/octorpki |
| summary: Infinite certificate chain depth results in OctoRPKI running forever |
| description: |- |
| OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to |
| create children in an ad-hoc fashion, thereby making tree traversal never end. |
| |
| ## Patches |
| |
| ## For more information If you have any questions or comments about this |
| advisory email us at security@cloudflare.com |
| cves: |
| - CVE-2021-3908 |
| ghsas: |
| - GHSA-g5gj-9ggf-9vmq |
| references: |
| - advisory: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3908 |
| - web: https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0 |
| - web: https://www.debian.org/security/2022/dsa-5041 |
| notes: |
| - lint: 'description: possible markdown formatting (found ## )' |
| - lint: 'references: too many advisories (found 2, want <=1)' |
| - lint: 'summary: must contain an affected module or package path (e.g. "github.com/cloudflare/cfrpki")' |
