CVE-2024-34702

MEDIUM

Botan <3.5.0-2.19.5 - Info Disclosure

Title source: llm
STIX 2.1

Description

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and name constraints. An attacker who presented a certificate chain which contained a very large number of names in the SubjectAlternativeName, signed by a CA certificate which contained a large number of name constraints, could cause a denial of service. The problem has been addressed in Botan 3.5.0 and a partial backport has also been applied and is included in Botan 2.19.5.

References (13)

Core 13
Core References
Issue Tracking x_refsource_misc
https://github.com/randombit/botan/pull/4187
Issue Tracking x_refsource_misc
https://github.com/randombit/botan/pull/4034
Issue Tracking x_refsource_misc
https://github.com/randombit/botan/pull/4045
Issue Tracking x_refsource_misc
https://github.com/randombit/botan/pull/4047
Issue Tracking x_refsource_misc
https://github.com/randombit/botan/pull/4052
Issue Tracking x_refsource_misc
https://github.com/randombit/botan/pull/4186

Scores

CVSS v3 5.3
EPSS 0.0084
EPSS Percentile 53.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-405
Status published
Products (2)
randombit/botan < 2.19.5
randombit/botan >= 3.0.0, < 3.5.0
Published Jul 08, 2024
Tracked Since Feb 18, 2026