Vulnerability Details : CVE-2023-0158
NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint. Prior to 0.12.1 a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash. If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated.
Products affected by CVE-2023-0158
- cpe:2.3:a:nlnetlabs:krill:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-0158
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-0158
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-0158
-
An exception is thrown from a function, but it is not caught.Assigned by: sep@nlnetlabs.nl (Secondary)
References for CVE-2023-0158
-
https://www.nlnetlabs.nl/downloads/krill/CVE-2023-0158.txt
Mitigation;Vendor Advisory
Jump to