Gobgp
Monthly
Buffer overflow in GoBGP's AIGP Attribute Parser allows remote unauthenticated attackers to manipulate the PathAttributeAigp.DecodeFromBytes function via malformed BGP UPDATE messages, potentially causing memory corruption. Versions up to 4.3.0 are affected. GoBGP 4.4.0 includes a vendor-released patch that adds proper bounds checking and validation of TLV length fields.
Improper access controls in osrg GoBGP up to version 4.3.0 allow remote attackers to bypass authentication via manipulation of the BGP Header Handler's DecodeFromBytes function. The vulnerability affects the BGP packet parsing mechanism and enables unauthorized modifications to BGP protocol state without requiring authentication. With a CVSS score of 3.7 and high attack complexity, exploitation is difficult but possible over the network; no public exploit code or active exploitation has been confirmed.
Denial of service in osrg GoBGP up to version 4.3.0 via off-by-one error in the DecodeFromBytes function allows remote, unauthenticated attackers to crash the BGP daemon through manipulation of packet data, resulting in availability impact. The vulnerability requires high attack complexity and has difficult exploitability; no public exploit code or active exploitation is currently confirmed, though a patch is available from the vendor.
Improper access control in osrg GoBGP up to 4.3.0 allows remote attackers to manipulate the domainNameLen parameter in BGP OPEN Message processing, resulting in integrity compromise through the DecodeFromBytes function. The vulnerability requires high attack complexity and has low real-world risk despite network-accessible attack vector; no public exploit code or confirmed active exploitation has been identified. A vendor patch is available via upstream commit 2b09db390a3d455808363c53e409afe6b1b86d2d.
An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required.
An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required.
An issue was discovered in GoBGP before 3.35.0. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.
Buffer overflow in GoBGP's AIGP Attribute Parser allows remote unauthenticated attackers to manipulate the PathAttributeAigp.DecodeFromBytes function via malformed BGP UPDATE messages, potentially causing memory corruption. Versions up to 4.3.0 are affected. GoBGP 4.4.0 includes a vendor-released patch that adds proper bounds checking and validation of TLV length fields.
Improper access controls in osrg GoBGP up to version 4.3.0 allow remote attackers to bypass authentication via manipulation of the BGP Header Handler's DecodeFromBytes function. The vulnerability affects the BGP packet parsing mechanism and enables unauthorized modifications to BGP protocol state without requiring authentication. With a CVSS score of 3.7 and high attack complexity, exploitation is difficult but possible over the network; no public exploit code or active exploitation has been confirmed.
Denial of service in osrg GoBGP up to version 4.3.0 via off-by-one error in the DecodeFromBytes function allows remote, unauthenticated attackers to crash the BGP daemon through manipulation of packet data, resulting in availability impact. The vulnerability requires high attack complexity and has difficult exploitability; no public exploit code or active exploitation is currently confirmed, though a patch is available from the vendor.
Improper access control in osrg GoBGP up to 4.3.0 allows remote attackers to manipulate the domainNameLen parameter in BGP OPEN Message processing, resulting in integrity compromise through the DecodeFromBytes function. The vulnerability requires high attack complexity and has low real-world risk despite network-accessible attack vector; no public exploit code or confirmed active exploitation has been identified. A vendor patch is available via upstream commit 2b09db390a3d455808363c53e409afe6b1b86d2d.
An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required.
An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required.
An issue was discovered in GoBGP before 3.35.0. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in GoBGP before 3.35.0. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.