Home > Vulnerability Database > CVE-2024-56375

Mend.io Vulnerability Database

CVE-2024-56375

Date: December 21, 2024

An integer underflow was discovered in Fort 1.6.3 and 1.6.4 before 1.6.5. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a Manifest RPKI object containing an empty fileList. Fort dereferences (and, shortly afterwards, writes to) this array during a shuffle attempt, before the validation that would normally reject it when empty. This out-of-bounds access is caused by an integer underflow that causes the surrounding loop to iterate infinitely. Because the product is permanently stuck attempting to overshuffle an array that doesn't actually exist, a crash is nearly guaranteed.

Language: C

Severity Score

7.5

Related Resources (5)

Url: https://github.com/NICMx/FORT-validator/issues/154

Url: https://nicmx.github.io/FORT-validator/CVE.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-56375

Url: https://security-tracker.debian.org/tracker/CVE-2024-56375

Url: https://www.mend.io/vulnerability-database/CVE-2024-56375

Severity Score

7.5

Weakness Type (CWE)

Integer Underflow (Wrap or Wraparound)

CWE-191

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-56375

Date: December 21, 2024

Language: C

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?