{"containers": {"cna": {"affected": [{"product": "octorpki", "vendor": "Cloudflare", "versions": [{"lessThan": "1.4.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Koen van Hove"}], "datePublic": "2021-11-01T00:00:00", "descriptions": [{"lang": "en", "value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-12T10:06:24", "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"}, {"name": "DSA-5033", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-5033"}, {"name": "DSA-5041", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5041"}], "solutions": [{"lang": "en", "value": "Upgrade to 1.4"}], "source": {"discovery": "EXTERNAL"}, "title": "Infinite open connection causes OctoRPKI to hang forever", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@cloudflare.com", "DATE_PUBLIC": "2021-11-01T22:41:00.000Z", "ID": "CVE-2021-3909", "STATE": "PUBLIC", "TITLE": "Infinite open connection causes OctoRPKI to hang forever"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "octorpki", "version": {"version_data": [{"version_affected": "<", "version_value": "1.4.0"}]}}]}, "vendor_name": "Cloudflare"}]}}, "credit": [{"lang": "eng", "value": "Koen van Hove"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244", "refsource": "MISC", "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"}, {"name": "DSA-5033", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-5033"}, {"name": "DSA-5041", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5041"}]}, "solution": [{"lang": "en", "value": "Upgrade to 1.4"}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:09:09.584Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"}, {"name": "DSA-5033", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-5033"}, {"name": "DSA-5041", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5041"}]}]}, "cveMetadata": {"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "assignerShortName": "cloudflare", "cveId": "CVE-2021-3909", "datePublished": "2021-11-11T21:45:19.611444Z", "dateReserved": "2021-10-26T00:00:00", "dateUpdated": "2024-09-16T23:06:15.208Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:octorpki:*:*:*:*:*:*:*:*", "matchCriteriaId": "A39C112F-E066-40D1-9CAC-9D9F89B467EE", "versionEndExcluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive."}, {"lang": "es", "value": "OctoRPKI no limita la duraci\u00f3n de una conexi\u00f3n, permitiendo que se produzca un ataque slowloris DOS que hace que OctoRPKI espere eternamente. En concreto, el repositorio al que OctoRPKI env\u00eda peticiones HTTP mantendr\u00e1 la conexi\u00f3n abierta durante un d\u00eda antes de que se devuelva una respuesta, pero sigue alimentando con nuevos bytes para mantener viva la conexi\u00f3n"}], "id": "CVE-2021-3909", "lastModified": "2024-11-21T06:22:45.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "cna@cloudflare.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-11T22:15:07.923", "references": [{"source": "cna@cloudflare.com", "tags": ["Third Party Advisory"], "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"}, {"source": "cna@cloudflare.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-5033"}, {"source": "cna@cloudflare.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5041"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-5033"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5041"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "cna@cloudflare.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}