Vulnerability DatabaseCVE-2021-3761
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2021-3761
September 09, 2021
Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP "MaxLength" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.
Related ResourcesĀ (8)
https://nvd.nist.gov/vuln/detail/CVE-2021-3761
https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9
https://pkg.go.dev/vuln/GO-2022-0246
https://www.debian.org/security/2022/dsa-5041
https://github.com/cloudflare/cfrpki/pull/90
https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422
https://github.com/cloudflare/cfrpki/releases/tag/v1.3.0
github.com/cloudflare/cfrpki
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
CVSS v2
Base Score:
5
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
Weakness Type (CWE)
Improper Certificate Validation
CWE-295
Out-of-bounds Write
CWE-787
EPSS
Base Score:
0.45