SCA: security update for github.com/cloudflare/cfrpki (GHSA-c8xp-8mf3-62h9)

high Tenable Self-Hosted Container Security Plugin ID 413785

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP "MaxLength"
value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a
victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal
operations would be rejected as "RPKI invalid". Additionally, in certain deployments RTR session flapping
in and of itself also could cause BGP routing churn, causing availability issues. (CVE-2021-3761)

See Also

https://github.com/advisories/GHSA-c8xp-8mf3-62h9

Plugin Details

Severity: High

ID: 413785

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2021-3761

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/7/2021

Vulnerability Publication Date: 9/3/2021

Reference Information

CVE: CVE-2021-3761