CVE-2022-24798

CVE-2022-24798 is a high-severity security vulnerability in irrd (pip), affecting versions >= 4.2.0, < 4.2.3. It is fixed in 4.2.3.

Summary

IRRd did not always filter password hashes in query responses relating to mntner objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected.

The issue occurred:

  • For mntner objects where all password hash names (MD5-PW and CRYPT-PW) were in lower or mixed case in the auth attribute. For these objects, hashes remained in the output of all queries of any method and all database exports made with the export_destination setting. Fortunately, objects in the common public IRR database virtually all use uppercase hash names which means very few of those objects were affected.
  • For any GraphQL queries that queried the auth field on mntner objects.
  • For any GraphQL queries that queried the objectText field on the journal field on mntner objects, if the nrtm_access_list setting permitted journal access.

The two GraphQL cases are visible in logs, allowing users to determine whether any existing objects had their hashes exposed.
This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. All users running a more recent version from the main branch should update to the latest version. Alternatively, but not recommended, apply the patch manually [for 4.2.x]

Impact

CVE-2022-24798 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.2.3); upgrading removes the vulnerable code path.

Affected versions

irrd (>= 4.2.0, < 4.2.3)

Security releases

irrd → 4.2.3 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade irrd to 4.2.3 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2022-24798? CVE-2022-24798 is a high-severity security vulnerability in irrd (pip), affecting versions >= 4.2.0, < 4.2.3. It is fixed in 4.2.3.
  2. How severe is CVE-2022-24798? CVE-2022-24798 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of irrd are affected by CVE-2022-24798? irrd (pip) versions >= 4.2.0, < 4.2.3 is affected.
  4. Is there a fix for CVE-2022-24798? Yes. CVE-2022-24798 is fixed in 4.2.3. Upgrade to this version or later.
  5. Is CVE-2022-24798 exploitable, and should I be worried? Whether CVE-2022-24798 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2022-24798 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2022-24798? Upgrade irrd to 4.2.3 or later.

Other vulnerabilities in irrd

Stop the waste.
Protect your environment with Kodem.