github.com/cloudflare/cfrpki (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/cloudflare/cfrpki, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (9)
CVE-2021-3978 — CVSS 7.5 (high): When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the…
CVE-2021-3761 — CVSS 7.5 (high): Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to…
CVE-2021-3907 — CVSS 7.4 (high): OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../…
CVE-2021-3908 — CVSS 5.9 (medium): OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree…
CVE-2022-3616 — CVSS 5.4 (medium): Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause…
CVE-2021-3910 — CVSS 4.4 (medium): OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).
CVE-2021-3909 — CVSS 4.4 (medium): OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever…
CVE-2021-3911 — CVSS 4.2 (medium): If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.
CVE-2021-3912 — CVSS 4.2 (medium): OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it…