Triggered crash on direct RRDP access
CVE-2023-0158

7.5HIGH

Key Information:

Vendor: Nlnet Labs
Status: Krill
Vendor: CVE Published:; 17 January 2023

What is CVE-2023-0158?

NLnet Labs Krill features a built-in web server that directly exposes the RRDP repository content through the '/rrdp' endpoint. Prior to version 0.12.1, any direct query to an existing directory under '/rrdp/' led to the server crashing, instead of providing the expected RRDP file, such as '/rrdp/notification.xml'. If the '/rrdp' endpoint is publicly accessible, malicious actors can exploit this flaw, resulting in server downtime. Although the repository content remains intact, the consequent unavailability of the server poses serious operational issues, particularly if such attacks are orchestrated persistently without adequate countermeasures in place.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Krill <= 0.12.0

References

https://www.nlnetlabs.nl/downloads/krill/CVE-2023-0158.txt

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 17, 2023
Vulnerability Reserved
Jan 10, 2023

Credit

We would like to thank user KittensAreDaBest on GitHub for the discovery and disclosure.

JSON

Nlnet Labs

What is CVE-2023-0158?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.