Home

CVE-2021-3909

Description

OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
0.735

Associated Vulnerability

VulnerabilityOS Platform
fort-validator security update(DSA-5033-1) fort-validator_1.5.3-1~deb11u1_amd64.debLinux
fort-validator security update(DSA-5033-1) fort-validator_1.5.3-1~deb11u1_i386.debLinux
cfrpki security update(DSA-5041-1) octorpki_1.4.2-1~deb11u1_i386.debLinux
cfrpki security update(DSA-5041-1) octorpki_1.4.2-1~deb11u1_amd64.debLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234