CVE-2024-39312

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86

Configurations

No configuration.

History

No history.

Information

Published : 2024-07-08 17:15

Updated : 2024-07-09 18:19

NVD link : CVE-2024-39312

Mitre link : CVE-2024-39312

CVE.ORG link : CVE-2024-39312

JSON object : View

Products Affected

No product.

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2024-39312", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-07-08T17:15:11.547", "references": [{"url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5."}, {"lang": "es", "value": "Botan es una librer\u00eda de criptograf\u00eda C++. Los certificados X.509 pueden identificar curvas el\u00edpticas utilizando un identificador de objeto o una codificaci\u00f3n expl\u00edcita de los par\u00e1metros. Un error en el an\u00e1lisis de las extensiones de restricci\u00f3n de nombres en los certificados X.509 significaba que si la extensi\u00f3n inclu\u00eda tanto sub\u00e1rboles permitidos como sub\u00e1rboles excluidos, solo se verificar\u00eda el sub\u00e1rbol permitido. Si un certificado incluyera un nombre permitido por el sub\u00e1rbol permitido pero tambi\u00e9n excluido por el sub\u00e1rbol excluido, se aceptar\u00eda. Corregido en las versiones 3.5.0 y 2.19.5."}], "lastModified": "2024-07-09T18:19:14.047", "sourceIdentifier": "security-advisories@github.com"}