Skip to main content

Routinator CVE-2022-3029

HIGH
Improper Handling of Unexpected Data Type (CWE-241)
2022-09-13 sep@nlnetlabs.nl
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 13, 2022 - 16:15 nvd
HIGH 7.5

DescriptionNVD

In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error and causes Routinator to exit. Worst case impact of this vulnerability is denial of service for the RPKI data that Routinator provides to routers. This may stop your network from validating route origins based on RPKI data. This vulnerability does not allow an attacker to manipulate RPKI data.

AnalysisAI

In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-241. In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error and causes Routinator to exit. Worst case impact of this vulnerability is denial of service for the RPKI data that Routinator provides to routers. This may stop your network from validating route origins based on RPKI data. This vulnerability does not allow an attacker to manipulate RPKI data. Affected products include: Nlnetlabs Routinator.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2020-17366 HIGH POC
7.4 Aug 05

An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. Rated high severity (CVSS 7.4), this vulnerability

CVE-2026-49235 HIGH
8.7 Jun 08

Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Docu

CVE-2026-49232 HIGH
8.7 Jun 08

Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a larg

CVE-2026-49233 HIGH
8.3 Jun 08

Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync U

CVE-2026-49234 HIGH
8.2 Jun 08

Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon

CVE-2024-1622 HIGH
7.5 Feb 26

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too q

CVE-2023-39915 HIGH
7.5 Sep 13

NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects.

CVE-2021-43174 HIGH
7.5 Nov 09

NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP r

CVE-2021-43173 HIGH
7.5 Nov 09

In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not ans

CVE-2021-43172 HIGH
7.5 Nov 09

NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to ne

CVE-2021-41531 HIGH
7.5 Sep 21

NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length

CVE-2023-39916 MEDIUM
6.5 Sep 13

NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible

Share

CVE-2022-3029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy