CVE-2021-3909

OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.4 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
cloudflareCNA
4.4 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
cloudflareoctorpki
𝑥
< 1.3.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cfrpki
bullseye (security)
1.4.2-1~deb11u1
fixed
bullseye
1.4.2-1~deb11u1
ignored
bookworm
1.4.4-1
fixed
fort-validator
bullseye (security)
1.5.3-1~deb11u1
fixed
bullseye
1.5.3-1~deb11u1
ignored
bookworm
1.5.4-1
fixed
sid
1.6.4+20240930-1
fixed
trixie
1.6.4+20240930-1
fixed
rpki-client
bullseye
ignored
bookworm
8.2-2
fixed
sid
9.3-1
fixed
trixie
9.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cfrpki
noble
dne
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244
https://www.debian.org/security/2021/dsa-5033
https://www.debian.org/security/2022/dsa-5041
https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244
https://www.debian.org/security/2021/dsa-5033
https://www.debian.org/security/2022/dsa-5041