GHSA-q76j-58cx-wp5v

Source

https://github.com/advisories/GHSA-q76j-58cx-wp5v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-q76j-58cx-wp5v/GHSA-q76j-58cx-wp5v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q76j-58cx-wp5v

Published

2020-11-13T17:28:49Z

Modified

2020-11-13T17:28:31Z

Summary

Vulnerability in RPKI manifest validation

Details

A vulnerability in RPKI manifest validation exists when objects on the manifest are hidden, or expired objects are replayed. An attacker successfully exploiting this vulnerability could prevent new ROAs from being received or selectively hide ROAs, causing routes to become INVALID.

To exploit this vulnerability, an attacker would need to perform a man in the middle attack on the TLS connection between the validator and an RRDP repository or perform a man in the middle attack against a rsync-only repository.

The update addresses the vulnerability by implementing validation methods from RFC 6486bis and enabling strict validation by default.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-13T17:28:31Z"
}

References

https://github.com/RIPE-NCC/rpki-validator-3/security/advisories/GHSA-q76j-58cx-wp5v

Affected packages

Maven / net.ripe.rpki:rpki-validator-3

Package

Name: net.ripe.rpki:rpki-validator-3; View open source insights on deps.dev
Purl: pkg:maven/net.ripe.rpki/rpki-validator-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2-2020.10.28.23.06

Database specific

{
    "last_known_affected_version_range": "<= 3.2-2020.10.28.22.25"
}