Vulnerability identifier: #VU94671

Vulnerability risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2024-34702

CWE-ID: CWE-405

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Botan
Universal components / Libraries / Libraries used by multiple products

Vendor: Randombit

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive name constraints. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Botan: 3.4.0, 3.3.0, 3.2.0, 3.1.0 - 3.1.1, 3.0.0, 2.19.0 - 2.19.4

---

External links
http://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j
http://github.com/randombit/botan/pull/4034
http://github.com/randombit/botan/pull/4045
http://github.com/randombit/botan/pull/4047
http://github.com/randombit/botan/pull/4052
http://github.com/randombit/botan/pull/4186
http://github.com/randombit/botan/pull/4187
http://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e
http://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac
http://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1
http://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf
http://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41
http://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.