A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls.
The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is reported as difficult.
The patch is named 2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install a patch to address this issue.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 6
https://github.com/osrg/gobgp/
cna@vuldb.com
https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d
cna@vuldb.com
https://github.com/osrg/gobgp/pull/3343
cna@vuldb.com
https://vuldb.com/submit/780124
cna@vuldb.com
https://vuldb.com/vuln/354154
cna@vuldb.com
https://vuldb.com/vuln/354154/cti
cna@vuldb.com