CVE-2024-45236

An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a signed object containing an empty signedAttributes field. Fort accesses the set's elements without sanitizing it first. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.
References
Link Resource
https://nicmx.github.io/FORT-validator/CVE.html Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:nicmx:fort-validator:*:*:*:*:*:*:*:*

History

27 Aug 2024, 15:48

Type Values Removed Values Added
First Time Nicmx
Nicmx fort-validator
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE NVD-CWE-noinfo
CPE cpe:2.3:a:nicmx:fort-validator:*:*:*:*:*:*:*:*
References () https://nicmx.github.io/FORT-validator/CVE.html - () https://nicmx.github.io/FORT-validator/CVE.html - Patch, Third Party Advisory

26 Aug 2024, 12:47

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en Fort antes de la versión 1.6.3. Un repositorio RPKI malicioso que desciende de un Trust Anchor (confiable) puede servir (a través de rsync o RRDP) un objeto firmado que contenga un campo firmadoAttributes vacío. Fort accede a los elementos del decorado sin desinfectarlo previamente. Debido a que Fort es una parte de confianza de RPKI, una falla puede provocar que la validación del origen de la ruta no esté disponible, lo que puede comprometer el enrutamiento.

24 Aug 2024, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-24 23:15

Updated : 2024-08-27 15:48


NVD link : CVE-2024-45236

Mitre link : CVE-2024-45236

CVE.ORG link : CVE-2024-45236


JSON object : View

Products Affected

nicmx

  • fort-validator