CVE-2022-3616
Published: 28 October 2022
Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.
Priority
Status
Package | Release | Status |
---|---|---|
cfrpki Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
jammy |
Needs triage
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Released
(1.4.4-1)
|
|
xenial |
Ignored
(end of standard support)
|
|
bionic |
Does not exist
|
|
focal |
Does not exist
|
|
mantic |
Not vulnerable
(1.4.4-1)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |