CVE-2023-39915 (GCVE-0-2023-39915)

Vulnerability from cvelistv5 – Published: 2023-09-13 14:20 – Updated: 2024-09-12 13:22
VLAI?
Summary
NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-232 - Improper Handling of Undefined Values
  • CWE-240 - Improper Handling of Inconsistent Structural Elements
Assigner
References
Impacted products
Vendor Product Version
NLnet Labs Routinator Affected: * , < 0.12.2 (semver)
Unaffected: 0.12.2 , < * (semver)
Create a notification for this product.
Credits
Haya Shulman Donika Mirdita Niklas Vogel
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:18:10.006Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-39915",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-12T13:21:49.530155Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T13:22:03.133Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Routinator",
          "vendor": "NLnet Labs",
          "versions": [
            {
              "lessThan": "0.12.2",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            },
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0.12.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Haya Shulman"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Donika Mirdita"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Niklas Vogel"
        }
      ],
      "datePublic": "2023-09-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "NLnet Labs\u0027 Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-232",
              "description": "CWE-232: Improper Handling of Undefined Values",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-240",
              "description": "CWE-240: Improper Handling of Inconsistent Structural Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-11T15:36:54.043Z",
        "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "shortName": "NLnet Labs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed in 0.12.2 and all later versions."
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-07-19T18:00:00.000Z",
          "value": "Issue reported by Haya Shulman"
        },
        {
          "lang": "en",
          "time": "2023-09-13T14:00:00.000Z",
          "value": "Fixes released"
        }
      ],
      "title": "Crashes on parsing certain invalid RPKI objects"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
    "assignerShortName": "NLnet Labs",
    "cveId": "CVE-2023-39915",
    "datePublished": "2023-09-13T14:20:59.967Z",
    "dateReserved": "2023-08-07T11:55:17.843Z",
    "dateUpdated": "2024-09-12T13:22:03.133Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nlnetlabs:routinator:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.12.2\", \"matchCriteriaId\": \"3121BDD5-0BCF-4B60-9728-58878A8210ED\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"NLnet Labs\u0027 Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914.\"}, {\"lang\": \"es\", \"value\": \"El Routinator de NLnet Labs hasta la versi\\u00f3n 0.12.1 incluida puede fallar al intentar analizar ciertos objetos RPKI con formato incorrecto. Esto se debe a una verificaci\\u00f3n de entrada insuficiente en la biblioteca bder cubierta por CVE-2023-39914.\"}]",
      "id": "CVE-2023-39915",
      "lastModified": "2024-11-21T08:16:01.923",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"sep@nlnetlabs.nl\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2023-09-13T15:15:07.763",
      "references": "[{\"url\": \"https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt\", \"source\": \"sep@nlnetlabs.nl\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "sep@nlnetlabs.nl",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"sep@nlnetlabs.nl\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-232\"}, {\"lang\": \"en\", \"value\": \"CWE-240\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-39915\",\"sourceIdentifier\":\"sep@nlnetlabs.nl\",\"published\":\"2023-09-13T15:15:07.763\",\"lastModified\":\"2024-11-21T08:16:01.923\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NLnet Labs\u0027 Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914.\"},{\"lang\":\"es\",\"value\":\"El Routinator de NLnet Labs hasta la versi\u00f3n 0.12.1 incluida puede fallar al intentar analizar ciertos objetos RPKI con formato incorrecto. Esto se debe a una verificaci\u00f3n de entrada insuficiente en la biblioteca bder cubierta por CVE-2023-39914.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"sep@nlnetlabs.nl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"sep@nlnetlabs.nl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-232\"},{\"lang\":\"en\",\"value\":\"CWE-240\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nlnetlabs:routinator:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.12.2\",\"matchCriteriaId\":\"3121BDD5-0BCF-4B60-9728-58878A8210ED\"}]}]}],\"references\":[{\"url\":\"https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt\",\"source\":\"sep@nlnetlabs.nl\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T18:18:10.006Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-39915\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-12T13:21:49.530155Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-12T13:21:59.672Z\"}}], \"cna\": {\"title\": \"Crashes on parsing certain invalid RPKI objects\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Haya Shulman\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Donika Mirdita\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Niklas Vogel\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"NLnet Labs\", \"product\": \"Routinator\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"lessThan\": \"0.12.2\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"0.12.2\", \"lessThan\": \"*\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2023-07-19T18:00:00.000Z\", \"value\": \"Issue reported by Haya Shulman\"}, {\"lang\": \"en\", \"time\": \"2023-09-13T14:00:00.000Z\", \"value\": \"Fixes released\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"This issue is fixed in 0.12.2 and all later versions.\"}], \"datePublic\": \"2023-09-13T00:00:00.000Z\", \"references\": [{\"url\": \"https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"NLnet Labs\u0027 Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-232\", \"description\": \"CWE-232: Improper Handling of Undefined Values\"}, {\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-240\", \"description\": \"CWE-240: Improper Handling of Inconsistent Structural Elements\"}]}], \"providerMetadata\": {\"orgId\": \"206fc3a0-e175-490b-9eaa-a5738056c9f6\", \"shortName\": \"NLnet Labs\", \"dateUpdated\": \"2024-09-11T15:36:54.043Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-39915\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-12T13:22:03.133Z\", \"dateReserved\": \"2023-08-07T11:55:17.843Z\", \"assignerOrgId\": \"206fc3a0-e175-490b-9eaa-a5738056c9f6\", \"datePublished\": \"2023-09-13T14:20:59.967Z\", \"assignerShortName\": \"NLnet Labs\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.