CVE-2024-45237

Aug. 27, 2024, 3:48 p.m.

9.8
Critical

Description

An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a Key Usage extension composed of more than two bytes of data. Fort writes this string into a 2-byte buffer without properly sanitizing its length, leading to a buffer overflow.

Product(s) Impacted

Vendor Product Versions
Nicmx
  • Fort-validator
  • *

Weaknesses

CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

*CPE(s)

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a nicmx fort-validator / / / / / / / /

References

https://nicmx.github.io/FORT-validator/CVE.html

Tags

cve@mitre.org
CWE-120
2024-08-24
CVE-2024-45237

CVSS Score

9.8 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Date

  • Published: Aug. 24, 2024, 11:15 p.m.
  • Last Modified: Aug. 27, 2024, 3:48 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.