Moderate severityNVD Advisory· Published Nov 11, 2021· Updated Sep 16, 2024
OctoRPKI crashes when processing GZIP bomb returned via malicious repository
CVE-2021-3912
Description
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cloudflare/cfrpkiGo | < 1.4.0 | 1.4.0 |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-g9wh-3vrx-r7hgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3912ghsaADVISORY
- www.debian.org/security/2022/dsa-5041ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/cloudflare/cfrpkighsaPACKAGE
- github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacadghsaWEB
- github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hgghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2022-0253ghsaWEB
News mentions
0No linked articles in our index yet.