#VU94669 Improper Certificate Validation in Botan - CVE-2024-39312


Vulnerability identifier: #VU94669

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-39312

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Botan
Universal components / Libraries / Libraries used by multiple products

Vendor: Randombit

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the Name Constraint Decoding bug. A remote attacker can cause the target system to accept arbitrary certificates.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Botan: 2.19.0 - 2.19.4, 3.0.0, 3.1.0 - 3.1.1, 3.2.0, 3.3.0, 3.4.0

External links
http://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 22.03 LTS SP4 update for botan2
openEuler 22.03 LTS SP3 update for botan2
openEuler 24.03 LTS update for botan2
Fedora EPEL 9 update for botan2
Fedora 39 update for botan2
Fedora 40 update for botan2
Multiple vulnerabilities in Botan