{ "id": "CVE-2022-24798", "sourceIdentifier": "security-advisories@github.com", "published": "2022-03-31T23:15:08.307", "lastModified": "2022-04-08T17:10:16.960", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue." }, { "lang": "es", "value": "El demonio Internet Routing Registry versi\u00f3n 4 es un servidor de base de datos IRR, que procesa objetos IRR en el formato RPSL. IRRd no siempre filtraba los hashes de las contrase\u00f1as en las respuestas de las consultas relacionadas con los objetos \"mntner\" y las exportaciones de la base de datos. Esto pod\u00eda permitir a adversarios recuperar algunos de estos hashes, llevar a cabo una b\u00fasqueda por fuerza bruta de la frase de contrase\u00f1a en texto sin cifrar y usarlos para realizar cambios no autorizados en los objetos IRR afectados. Este problema s\u00f3lo afect\u00f3 a las instancias que procesan hashes de contrase\u00f1as, lo que significa que se limita a las instancias de IRRd que sirven a bases de datos autorizadas. Las instancias de IRRd que funcionan \u00fanicamente como r\u00e9plicas de otras bases de datos de IRR no est\u00e1n afectadas. Esto ha sido corregido en IRRd versi\u00f3n 4.2.3 y en la rama principal. Las versiones de la serie 4.1.x nunca fueron afectadas. Es recomendado encarecidamente a usuarios de la serie 4.2.x actualizar. no se presentan medidas de mitigaci\u00f3n conocidas para este problema" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH" }, "exploitabilityScore": 3.9, "impactScore": 3.6 }, { "source": "security-advisories@github.com", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH" }, "exploitabilityScore": 3.9, "impactScore": 3.6 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0 }, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-212" } ] }, { "source": "security-advisories@github.com", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-212" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:internet_routing_registry_daemon_project:internet_routing_registry_daemon:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2.0", "versionEndExcluding": "4.2.3", "matchCriteriaId": "C0DC5A79-EC7A-4CD8-92D7-EE997B70B7DB" } ] } ] } ], "references": [ { "url": "https://github.com/irrdnet/irrd/commit/0e41bae8d3d27316381a2fc7b466597230e35ec6", "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ] }, { "url": "https://github.com/irrdnet/irrd/commit/fdffaf8dd71713f06e99dff417e6aa1e6fa84b70", "source": "security-advisories@github.com", "tags": [ "Patch", "Third Party Advisory" ] }, { "url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw", "source": "security-advisories@github.com", "tags": [ "Release Notes", "Third Party Advisory" ] } ] }