CVE-2023-39915: 
NixOS vulnerability analysis and mitigation

NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This vulnerability (CVE-2023-39915) was disclosed on September 13, 2023, and is related to insufficient input checking in the bcder library (covered by CVE-2023-39914) (NVD, Vendor Advisory).

The vulnerability stems from insufficient checking of input data in the decoding library bcder used by Routinator. When processing malformed RPKI objects, the application may crash due to improper input validation. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is on system availability. When exploited, it can cause the Routinator service to crash, leading to a denial of service condition. The vulnerability does not affect confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in Routinator version 0.12.2. Users are advised to upgrade to this version or later to address the security issue. The fix includes updating to a patched version of the bcder library (Vendor Advisory).