OpenCVE

A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Botan Project	Botan

Configuration 1 [-]

cpe:2.3:a:botan_project:botan:2.0.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294
http://www.debian.org/security/2017/dsa-3939
http://www.securityfocus.com/bid/98106

History

No history.

MITRE

Status: PUBLISHED

Assigner: talos

Published: 2017-05-24T14:00:00

Updated: 2024-08-05T14:02:07.813Z

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2801

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-05-24T14:29:00.537

Modified: 2024-11-21T03:24:10.803

Link: CVE-2017-2801

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Botan", "vendor": "Randombit", "versions": [{"status": "affected", "version": "2.0.1"}]}], "datePublic": "2017-04-28T00:00:00", "descriptions": [{"lang": "en", "value": "A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Certificate validation bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T18:22:26", "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos"}, "references": [{"name": "98106", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/98106"}, {"name": "DSA-3939", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3939"}, {"tags": ["x_refsource_MISC"], "url": "http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "talos-cna@cisco.com", "ID": "CVE-2017-2801", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Botan", "version": {"version_data": [{"version_value": "2.0.1"}]}}]}, "vendor_name": "Randombit"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability."}]}, "impact": {"cvss": {"baseScore": 6.5, "baseSeverity": "Medium", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Certificate validation bypass"}]}]}, "references": {"reference_data": [{"name": "98106", "refsource": "BID", "url": "http://www.securityfocus.com/bid/98106"}, {"name": "DSA-3939", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3939"}, {"name": "http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294", "refsource": "MISC", "url": "http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:02:07.813Z"}, "title": "CVE Program Container", "references": [{"name": "98106", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/98106"}, {"name": "DSA-3939", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3939"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294"}]}]}, "cveMetadata": {"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "assignerShortName": "talos", "cveId": "CVE-2017-2801", "datePublished": "2017-05-24T14:00:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2024-08-05T14:02:07.813Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:botan_project:botan:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "9287361E-DC3A-4E80-BBA3-30D0419ACBC4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability."}, {"lang": "es", "value": "Existe un error de programaci\u00f3n en una manera en que la biblioteca criptogr\u00e1fica Randombit Botan versi\u00f3n 2.0.1, implementa comparaciones de cadenas x500 que podr\u00edan conllevar problemas de comprobaci\u00f3n de certificados y violarlos. Un certificado X509 especialmente dise\u00f1ado deber\u00eda entregarse al cliente o a la aplicaci\u00f3n del servidor para desencadenar esta vulnerabilidad."}], "id": "CVE-2017-2801", "lastModified": "2024-11-21T03:24:10.803", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.7, "source": "talos-cna@cisco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-05-24T14:29:00.537", "references": [{"source": "talos-cna@cisco.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory", "VDB Entry"], "url": "http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294"}, {"source": "talos-cna@cisco.com", "url": "http://www.debian.org/security/2017/dsa-3939"}, {"source": "talos-cna@cisco.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.securityfocus.com/bid/98106"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory", "VDB Entry"], "url": "http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2017/dsa-3939"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.securityfocus.com/bid/98106"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}