CVE-2024-39312 - OpenCVE

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Randombit	Botan

No data.

No data.

References

Link	Providers
https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-08T16:30:25.044Z

Updated: 2024-08-02T04:19:20.621Z

Reserved: 2024-06-21T18:15:22.260Z

Link: CVE-2024-39312

Vulnrichment

Updated: 2024-07-08T19:58:52.492Z

NVD

Status : Awaiting Analysis

Published: 2024-07-08T17:15:11.547

Modified: 2024-07-09T18:19:14.047

Link: CVE-2024-39312

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39312", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-21T18:15:22.260Z", "datePublished": "2024-07-08T16:30:25.044Z", "dateUpdated": "2024-08-02T04:19:20.621Z"}, "containers": {"cna": {"title": "Botan has an Authorization Error due to Name Constraint Decoding Bug", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}], "affected": [{"vendor": "randombit", "product": "botan", "versions": [{"version": "< 2.19.5", "status": "affected"}, {"version": ">= 3.0.0, < 3.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T16:30:25.044Z"}, "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5."}], "source": {"advisory": "GHSA-jp24-56jm-gg86", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "randombit", "product": "botan", "cpes": ["cpe:2.3:a:randombit:botan:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.19.5", "versionType": "custom"}, {"version": "3.0.0", "status": "affected", "lessThan": "3.5.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-08T19:57:15.379890Z", "id": "CVE-2024-39312", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T19:59:00.224Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.621Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-08T19:57:15.379890Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:randombit:botan:*:*:*:*:*:*:*:*"], "vendor": "randombit", "product": "botan", "versions": [{"status": "affected", "version": "0", "lessThan": "2.19.5", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.5.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T19:58:52.492Z"}}], "cna": {"title": "Botan has an Authorization Error due to Name Constraint Decoding Bug", "source": {"advisory": "GHSA-jp24-56jm-gg86", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "randombit", "product": "botan", "versions": [{"status": "affected", "version": "< 2.19.5"}, {"status": "affected", "version": ">= 3.0.0, < 3.5.0"}]}], "references": [{"url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "name": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T16:30:25.044Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39312", "state": "PUBLISHED", "dateUpdated": "2024-07-08T19:59:00.224Z", "dateReserved": "2024-06-21T18:15:22.260Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-08T16:30:25.044Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5."}, {"lang": "es", "value": "Botan es una librer\u00eda de criptograf\u00eda C++. Los certificados X.509 pueden identificar curvas el\u00edpticas utilizando un identificador de objeto o una codificaci\u00f3n expl\u00edcita de los par\u00e1metros. Un error en el an\u00e1lisis de las extensiones de restricci\u00f3n de nombres en los certificados X.509 significaba que si la extensi\u00f3n inclu\u00eda tanto sub\u00e1rboles permitidos como sub\u00e1rboles excluidos, solo se verificar\u00eda el sub\u00e1rbol permitido. Si un certificado incluyera un nombre permitido por el sub\u00e1rbol permitido pero tambi\u00e9n excluido por el sub\u00e1rbol excluido, se aceptar\u00eda. Corregido en las versiones 3.5.0 y 2.19.5."}], "id": "CVE-2024-39312", "lastModified": "2024-07-09T18:19:14.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-08T17:15:11.547", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Secondary"}]}