Vulnerability Description
OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cloudflare | Octorpki | < 1.3.0 |
| Debian | Debian Linux | 11.0 |
Related Weaknesses (CWE)
References
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244Third Party Advisory
- https://www.debian.org/security/2021/dsa-5033Third Party Advisory
- https://www.debian.org/security/2022/dsa-5041Third Party Advisory
- https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244Third Party Advisory
- https://www.debian.org/security/2021/dsa-5033Third Party Advisory
- https://www.debian.org/security/2022/dsa-5041Third Party Advisory
FAQ
What is CVE-2021-3909?
CVE-2021-3909 is a vulnerability with a CVSS score of 4.4 (MEDIUM). OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests ...
How severe is CVE-2021-3909?
CVE-2021-3909 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3909?
Check the references section above for vendor advisories and patch information. Affected products include: Cloudflare Octorpki, Debian Debian Linux.