CVE-2021-3912 MEDIUM

CVE-2021-3912: OctoRPKI crashes when processing GZIP bomb returned via malicious repository

Vendor Cloudflare
Product octorpki
Weakness CWE-400
Published November 11, 2021
Last update September 16, 2024

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).

Key dates

02Disclosure timeline

November 11, 2021 CVE published
September 16, 2024 Record updated