VDB

CVE-2024-45238

CVE-2024-45238 PUBLISHED CVSS 7.5 HIGH

An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.

EPSS 0.77% · 73.9th percentile

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.77%
73.9th percentile

Affected Products

VendorProductVersions
n/an/a*
fort_validator_projectfort_validator0
nicmxfort_validator0

Exploit Intelligence

Timeline

  • Aug 24, 2024 CVE Published
  • Aug 25, 2024 EPSS Score
  • Sep 14, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score
  • Oct 5, 2024 EPSS Score
  • Oct 25, 2024 EPSS Score
  • Nov 15, 2024 EPSS Score
  • Dec 6, 2024 EPSS Score
  • Dec 26, 2024 EPSS Score
  • Jan 16, 2025 EPSS Score
  • Feb 5, 2025 EPSS Score
  • Feb 26, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›