GHSA-37xq-q42p-rv3p

Опубликовано: 24 авг. 2023

Источник: github

Github: Прошло ревью

CVSS3: 2.6

Описание

ntpd has Dependency on Vulnerable Third-Party Component

During startup, an attacker that can man-in-the-middle traffic to and from NTS key exchange servers can trigger a very expensive key validation process due to a vulnerability in webpki.

Impact

This vulnerability can lead to excessive cpu usage on startup on clients configured to use NTS

Patches

Affected users are recommended to upgrade to version 0.3.7

References

Ссылки

https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-37xq-q42p-rv3p
https://github.com/pendulum-project/ntpd-rs/commit/927952a440176a18f3ded132eb831ae7f7ac5c00
https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md

Пакеты

Наименование

ntpd

rust

Затронутые версииВерсия исправления

< 0.3.7

0.3.7

2.6 Low

CVSS3

Дефекты

CWE-1395

2.6 Low

CVSS3

Дефекты

CWE-1395