{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39312", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-21T18:15:22.260Z", "datePublished": "2024-07-08T16:30:25.044Z", "dateUpdated": "2024-08-02T04:19:20.621Z"}, "containers": {"cna": {"title": "Botan has an Authorization Error due to Name Constraint Decoding Bug", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}], "affected": [{"vendor": "randombit", "product": "botan", "versions": [{"version": "< 2.19.5", "status": "affected"}, {"version": ">= 3.0.0, < 3.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T16:30:25.044Z"}, "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5."}], "source": {"advisory": "GHSA-jp24-56jm-gg86", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "randombit", "product": "botan", "cpes": ["cpe:2.3:a:randombit:botan:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.19.5", "versionType": "custom"}, {"version": "3.0.0", "status": "affected", "lessThan": "3.5.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-08T19:57:15.379890Z", "id": "CVE-2024-39312", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T19:59:00.224Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.621Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-08T19:57:15.379890Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:randombit:botan:*:*:*:*:*:*:*:*"], "vendor": "randombit", "product": "botan", "versions": [{"status": "affected", "version": "0", "lessThan": "2.19.5", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.5.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T19:58:52.492Z"}}], "cna": {"title": "Botan has an Authorization Error due to Name Constraint Decoding Bug", "source": {"advisory": "GHSA-jp24-56jm-gg86", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "randombit", "product": "botan", "versions": [{"status": "affected", "version": "< 2.19.5"}, {"status": "affected", "version": ">= 3.0.0, < 3.5.0"}]}], "references": [{"url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "name": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T16:30:25.044Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39312", "state": "PUBLISHED", "dateUpdated": "2024-07-08T19:59:00.224Z", "dateReserved": "2024-06-21T18:15:22.260Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-08T16:30:25.044Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "matchCriteriaId": "61B1DDAB-A102-4C7D-B680-1544D88151E4", "versionEndExcluding": "2.19.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "matchCriteriaId": "85DA9E3B-CA36-4070-941B-D6811931D262", "versionEndExcluding": "3.5.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5."}, {"lang": "es", "value": "Botan es una librer\u00eda de criptograf\u00eda C++. Los certificados X.509 pueden identificar curvas el\u00edpticas utilizando un identificador de objeto o una codificaci\u00f3n expl\u00edcita de los par\u00e1metros. Un error en el an\u00e1lisis de las extensiones de restricci\u00f3n de nombres en los certificados X.509 significaba que si la extensi\u00f3n inclu\u00eda tanto sub\u00e1rboles permitidos como sub\u00e1rboles excluidos, solo se verificar\u00eda el sub\u00e1rbol permitido. Si un certificado incluyera un nombre permitido por el sub\u00e1rbol permitido pero tambi\u00e9n excluido por el sub\u00e1rbol excluido, se aceptar\u00eda. Corregido en las versiones 3.5.0 y 2.19.5."}], "id": "CVE-2024-39312", "lastModified": "2025-04-11T14:09:48.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-08T17:15:11.547", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}