Summary
IRRd did not always filter password hashes in query responses relating to mntner objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected.
The issue occurred:
- For
mntnerobjects where all password hash names (MD5-PWandCRYPT-PW) were in lower or mixed case in theauthattribute. For these objects, hashes remained in the output of all queries of any method and all database exports made with theexport_destinationsetting. Fortunately, objects in the common public IRR database virtually all use uppercase hash names which means very few of those objects were affected. - For any GraphQL queries that queried the
authfield onmntnerobjects. - For any GraphQL queries that queried the
objectTextfield on thejournalfield onmntnerobjects, if thenrtm_access_listsetting permitted journal access.
The two GraphQL cases are visible in logs, allowing users to determine whether any existing objects had their hashes exposed.
This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. All users running a more recent version from the main branch should update to the latest version. Alternatively, but not recommended, apply the patch manually [for 4.2.x]
Impact
CVE-2022-24798 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.2.3); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2022-24798? CVE-2022-24798 is a high-severity security vulnerability in irrd (pip), affecting versions >= 4.2.0, < 4.2.3. It is fixed in 4.2.3.
- How severe is CVE-2022-24798? CVE-2022-24798 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of irrd are affected by CVE-2022-24798? irrd (pip) versions >= 4.2.0, < 4.2.3 is affected.
- Is there a fix for CVE-2022-24798? Yes. CVE-2022-24798 is fixed in 4.2.3. Upgrade to this version or later.
- Is CVE-2022-24798 exploitable, and should I be worried? Whether CVE-2022-24798 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2022-24798 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2022-24798? Upgrade
irrdto 4.2.3 or later.