CVE-2023-0158

Source
https://cve.org/CVERecord?id=CVE-2023-0158
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-0158.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-0158
Published
2023-01-17T17:15:11.837Z
Modified
2026-03-14T12:00:49.801605Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint. Prior to 0.12.1 a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash. If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated.

References

Affected packages

Git / github.com/nlnetlabs/krill

Affected ranges

Type
GIT
Repo
https://github.com/nlnetlabs/krill
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.12.1"
        }
    ]
}

Affected versions

v0.*
v0.1.0
v0.10.0
v0.10.0-rc1
v0.10.0-rc2
v0.10.0-rc3
v0.10.1
v0.10.2
v0.10.3
v0.11.0
v0.11.0-rc1
v0.12.0
v0.12.0-rc1
v0.12.0-rc2
v0.12.0-rc3
v0.2.0
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.8.0
v0.8.0-rc1
v0.8.0-rc2
v0.8.1
v0.8.1-rc1
v0.8.2
v0.9.0
v0.9.0-rc1
v0.9.0-rc2
v0.9.0-rc3
v0.9.1
v0.9.1-rc1
v0.9.1-rc2
v0.9.2
v0.9.2-rc1
v0.9.2-rc2
v0.9.2-rc3
v0.9.3
v0.9.3-rc1
v0.9.3-rc2
v0.9.3-rc3
v0.9.4
v0.9.5
v0.9.5-rc2
v0.9.5-rc7
v0.9.5-rc8
v0.9.5-rc9
v0.9.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-0158.json"