Safety vulnerability ID: 47857
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Irrd 4.2.3 includes a fix for CVE-2022-24798: IRRd did not always filter password hashes in query responses relating to 'mntner' objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.
https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw
Latest version: 4.4.4
Internet Routing Registry daemon (IRRd)
issue with password hash filtering that occurred in all earlier 4.2
releases. The 4.1.x series is not affected.
Previous IRRd 4.2 versions did not always filter password hashes in `mntner`
objects. This may have allowed adversaries to retrieve some of these hashes,
perform a brute-force search for the clear-text passphrase, and use these
to make unauthorised changes to affected IRR objects.
This issue only affected instances that process password hashes, which means it
is limited to IRRd instances that serve authoritative databases. IRRd instances
operating solely as mirrors of other IRR databases are not affected.
This issue was assigned CVE-2022-24798 and [GHSA-cqxx-66wh-8pjw](https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw).
See https://irrd.readthedocs.io/en/stable/releases/4.2.3/ for further details.
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application