| id: GO-TEST-ID |
| modules: |
| - module: github.com/cloudflare/cfrpki |
| versions: |
| - fixed: 1.4.0 |
| vulnerable_at: 1.3.0 |
| summary: OctoRPKI crashes when processing GZIP bomb returned via malicious repository |
| description: |- |
| OctoRPKI tries to load the entire contents of a repository in memory, and in the |
| case of a GZIP bomb, unzip it in memory, making it possible to create a |
| repository that makes OctoRPKI run out of memory (and thus crash). |
| |
| ## Patches |
| |
| ## For more information If you have any questions or comments about this |
| advisory email us at security@cloudflare.com |
| cves: |
| - CVE-2021-3912 |
| ghsas: |
| - GHSA-g9wh-3vrx-r7hg |
| references: |
| - advisory: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3912 |
| - fix: https://github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacad |
| - web: https://www.debian.org/security/2022/dsa-5041 |
| notes: |
| - lint: 'description: possible markdown formatting (found ## )' |
| - lint: 'references: too many advisories (found 2, want <=1)' |
| - lint: 'summary: must contain an affected module or package path (e.g. "github.com/cloudflare/cfrpki")' |
