CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-45238
https://notcve.org/view.php?id=CVE-2024-45238
24 Aug 2024 — An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which ca... • https://nicmx.github.io/FORT-validator/CVE.html • CWE-476: NULL Pointer Dereference •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45237
https://notcve.org/view.php?id=CVE-2024-45237
24 Aug 2024 — An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a Key Usage extension composed of more than two bytes of data. Fort writes this string into a 2-byte buffer without properly sanitizing its length, leading to a buffer overflow. • https://nicmx.github.io/FORT-validator/CVE.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-45235
https://notcve.org/view.php?id=CVE-2024-45235
24 Aug 2024 — An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing an Authority Key Identifier extension that lacks the keyIdentifier field. Fort references this pointer without sanitizing it first. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing. • https://nicmx.github.io/FORT-validator/CVE.html • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45236
https://notcve.org/view.php?id=CVE-2024-45236
24 Aug 2024 — An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a signed object containing an empty signedAttributes field. Fort accesses the set's elements without sanitizing it first. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing. • https://nicmx.github.io/FORT-validator/CVE.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43114 – Debian Security Advisory 5033-1
https://notcve.org/view.php?id=CVE-2021-43114
09 Nov 2021 — FORT Validator versions prior to 1.5.2 will crash if an RPKI CA publishes an X.509 EE certificate. This will lead to RTR clients such as BGP routers to lose access to the RPKI VRP data set, effectively disabling Route Origin Validation. FORT Validator versiones anteriores a 1.5.2, serán bloqueadas si una CA RPKI publica un certificado X.509 EE. Esto conlleva a que clientes de RTR, como los routers BGP, pierdan el acceso al conjunto de datos VRP de RPKI, inhabilitando efectivamente la comprobación del origen... • https://github.com/NICMx/FORT-validator/commit/274dc14aed1eb9b3350029d1063578a6b9c77b54 •