CVE-2024-39312

2024-07-0800:00:00

ubuntu.com

botan

cryptography

x.509

certificates

elliptic curves

parsing

bug

name constraint

extensions

parsing

version 3.5.0

version 2.19.5

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

Confidence

Low

JSON

Botan is a C++ cryptography library. X.509 certificates can identify
elliptic curves using either an object identifier or using explicit
encoding of the parameters. A bug in the parsing of name constraint
extensions in X.509 certificates meant that if the extension included both
permitted subtrees and excluded subtrees, only the permitted subtree would
be checked. If a certificate included a name which was permitted by the
permitted subtree but also excluded by excluded subtree, it would be
accepted. Fixed in versions 3.5.0 and 2.19.5.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchbotan< anyUNKNOWN
ubuntu20.04noarchbotan< anyUNKNOWN
ubuntu22.04noarchbotan< anyUNKNOWN
ubuntu24.04noarchbotan< anyUNKNOWN