Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-3761

Good to know:

icon

Date: September 9, 2021

Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.

Language: Go

Severity Score

Related Resources (9)

https://github.com/cloudflare/cfrpki/pull/90
github.com/cloudflare/cfrpki
https://nvd.nist.gov/vuln/detail/CVE-2021-3761
https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422
https://www.debian.org/security/2022/dsa-5041
https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9
https://github.com/cloudflare/cfrpki/releases/tag/v1.3.0
https://pkg.go.dev/vuln/GO-2022-0246
https://www.mend.io/vulnerability-database/CVE-2021-3761

Severity Score

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Out-of-bounds Write

CWE-787

Top Fix

icon

Upgrade Version

Upgrade to version v1.3.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us