Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2024-34703
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-30 Jun, 2024 | 20:22
Updated At-02 Aug, 2024 | 02:59
Rejected At-
▼CVE Numbering Authority (CNA)
Botan Vulnerable to Denial of Service Due to Overly Large Elliptic Curve Parameters

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.

Affected Products
Vendor
randombit
Product
botan
Versions
Affected
  • >= 3.3.0, < 3.3.0
  • < 2.19.4
Problem Types
TypeCWE IDDescription
CWECWE-405CWE-405: Asymmetric Resource Consumption (Amplification)
CWECWE-770CWE-770: Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7
x_refsource_CONFIRM
https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4
x_refsource_MISC
https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
randombit
Product
botan
CPEs
  • cpe:2.3:a:randombit:botan:3.30:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 3.30 before 3.3.1 (custom)
  • From 0 before 2.19.4 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7
x_refsource_CONFIRM
x_transferred
https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4
x_refsource_MISC
x_transferred
https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a
x_refsource_MISC
x_transferred
Details not found