GHSA-8cvr-4rrf-f244
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8cvr-4rrf-f244
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-8cvr-4rrf-f244/GHSA-8cvr-4rrf-f244.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8cvr-4rrf-f244
- Aliases
- Published
- 2021-11-10T20:15:44Z
- Modified
- 2024-08-21T14:57:04.575301Z
- Severity
-
- 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Infinite open connection causes OctoRPKI to hang forever
- Details
-
OctoRPKI (github.com/cloudflare/cfrpki/cmd/octorpki) does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
Patches
For more information
If you have any questions or comments about this advisory email us at security@cloudflare.com
- Database specific
{ "nvd_published_at": "2021-11-11T22:15:00Z", "cwe_ids": [ "CWE-400" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-11-10T18:18:28Z" }- References
-
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244
- https://nvd.nist.gov/vuln/detail/CVE-2021-3909
- https://github.com/cloudflare/cfrpki
- https://github.com/cloudflare/cfrpki/releases/tag/v1.4.0
- https://www.debian.org/security/2021/dsa-5033
- https://www.debian.org/security/2022/dsa-5041
Affected packages
Go / github.com/cloudflare/cfrpki
Package
- Name
- github.com/cloudflare/cfrpki
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cloudflare/cfrpki