CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
High
Botan is a C++ cryptography library. X.509 certificates can identify
elliptic curves using either an object identifier or using explicit
encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name
constraints in X.509 certificates is quadratic in the number of names and
name constraints. An attacker who presented a certificate chain which
contained a very large number of names in the SubjectAlternativeName,
signed by a CA certificate which contained a large number of name
constraints, could cause a denial of service. The problem has been
addressed in Botan 3.5.0 and a partial backport has also been applied and
is included in Botan 2.19.5.
github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e
github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac
github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1
github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf
github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41
github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8
github.com/randombit/botan/pull/4034
github.com/randombit/botan/pull/4045
github.com/randombit/botan/pull/4047
github.com/randombit/botan/pull/4052
github.com/randombit/botan/pull/4186
github.com/randombit/botan/pull/4187
github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j
launchpad.net/bugs/cve/CVE-2024-34702
nvd.nist.gov/vuln/detail/CVE-2024-34702
security-tracker.debian.org/tracker/CVE-2024-34702
www.cve.org/CVERecord?id=CVE-2024-34702