GHSA-37xq-q42p-rv3p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-37xq-q42p-rv3p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-37xq-q42p-rv3p/GHSA-37xq-q42p-rv3p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-37xq-q42p-rv3p
- Published
- 2023-08-24T22:18:39Z
- Modified
- 2024-06-26T15:20:09Z
- Severity
-
- 2.6 (Low) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- ntpd has Dependency on Vulnerable Third-Party Component
- Details
-
During startup, an attacker that can man-in-the-middle traffic to and from NTS key exchange servers can trigger a very expensive key validation process due to a vulnerability in webpki.
Impact
This vulnerability can lead to excessive cpu usage on startup on clients configured to use NTS
Patches
Affected users are recommended to upgrade to version 0.3.7
References
See also https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-1395" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-08-24T22:18:39Z" }- References
-
- https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-37xq-q42p-rv3p
- https://github.com/pendulum-project/ntpd-rs/commit/927952a440176a18f3ded132eb831ae7f7ac5c00
- https://github.com/pendulum-project/ntpd-rs
- https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md
Affected packages
crates.io / ntpd
Package
- Name
- ntpd
- View open source insights on deps.dev
- Purl
- pkg:cargo/ntpd