Products
Botan
- before 2.19.4
- before 3.3.0
Source
security-advisories@github.com
Tags
CVE-2024-34703 details
Last Modified : June 30, 2024, 9:15 p.m.
Description
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7.5 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-405 | Asymmetric Resource Consumption (Amplification) | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
Base Score
7.5
Exploitability Score
3.9
Impact Score
3.6
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
| URL | Source |
|---|---|
| https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4 | security-advisories@github.com |
| https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a | security-advisories@github.com |
| https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7 | security-advisories@github.com |