CVE-2024-39312 - Vulnerability Details - OpenCVE

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Botan Project	Botan
Randombit	Botan

Configuration 1 [-]

OR	cpe:2.3:a:botan_project:botan::::::::
	cpe:2.3:a:botan_project:botan::::::::

No data.

References

Link	Providers
https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86

History

Wed, 05 Mar 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Botan Project Botan Project botan
CPEs		cpe:2.3:a:botan_project:botan::::::::
Vendors & Products		Botan Project Botan Project botan

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-08T16:30:25.044Z

Updated: 2024-08-02T04:19:20.621Z

Reserved: 2024-06-21T18:15:22.260Z

Link: CVE-2024-39312

Vulnrichment

Updated: 2024-07-08T19:58:52.492Z

NVD

Status : Analyzed

Published: 2024-07-08T17:15:11.547

Modified: 2025-03-05T14:53:25.190

Link: CVE-2024-39312

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39312", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-21T18:15:22.260Z", "datePublished": "2024-07-08T16:30:25.044Z", "dateUpdated": "2024-08-02T04:19:20.621Z"}, "containers": {"cna": {"title": "Botan has an Authorization Error due to Name Constraint Decoding Bug", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}], "affected": [{"vendor": "randombit", "product": "botan", "versions": [{"version": "< 2.19.5", "status": "affected"}, {"version": ">= 3.0.0, < 3.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T16:30:25.044Z"}, "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5."}], "source": {"advisory": "GHSA-jp24-56jm-gg86", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "randombit", "product": "botan", "cpes": ["cpe:2.3:a:randombit:botan:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.19.5", "versionType": "custom"}, {"version": "3.0.0", "status": "affected", "lessThan": "3.5.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-08T19:57:15.379890Z", "id": "CVE-2024-39312", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T19:59:00.224Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.621Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-08T19:57:15.379890Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:randombit:botan:*:*:*:*:*:*:*:*"], "vendor": "randombit", "product": "botan", "versions": [{"status": "affected", "version": "0", "lessThan": "2.19.5", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.5.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T19:58:52.492Z"}}], "cna": {"title": "Botan has an Authorization Error due to Name Constraint Decoding Bug", "source": {"advisory": "GHSA-jp24-56jm-gg86", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "randombit", "product": "botan", "versions": [{"status": "affected", "version": "< 2.19.5"}, {"status": "affected", "version": ">= 3.0.0, < 3.5.0"}]}], "references": [{"url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "name": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T16:30:25.044Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39312", "state": "PUBLISHED", "dateUpdated": "2024-07-08T19:59:00.224Z", "dateReserved": "2024-06-21T18:15:22.260Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-08T16:30:25.044Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "matchCriteriaId": "61B1DDAB-A102-4C7D-B680-1544D88151E4", "versionEndExcluding": "2.19.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*", "matchCriteriaId": "85DA9E3B-CA36-4070-941B-D6811931D262", "versionEndExcluding": "3.5.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5."}, {"lang": "es", "value": "Botan es una librer\u00eda de criptograf\u00eda C++. Los certificados X.509 pueden identificar curvas el\u00edpticas utilizando un identificador de objeto o una codificaci\u00f3n expl\u00edcita de los par\u00e1metros. Un error en el an\u00e1lisis de las extensiones de restricci\u00f3n de nombres en los certificados X.509 significaba que si la extensi\u00f3n inclu\u00eda tanto sub\u00e1rboles permitidos como sub\u00e1rboles excluidos, solo se verificar\u00eda el sub\u00e1rbol permitido. Si un certificado incluyera un nombre permitido por el sub\u00e1rbol permitido pero tambi\u00e9n excluido por el sub\u00e1rbol excluido, se aceptar\u00eda. Corregido en las versiones 3.5.0 y 2.19.5."}], "id": "CVE-2024-39312", "lastModified": "2025-03-05T14:53:25.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-08T17:15:11.547", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Secondary"}]}