CVE-2024-34703

2024-06-3021:15:02

Alpine Linux Development Team

security.alpinelinux.org

botan

cryptography

vulnerability

ecdsa

x.509

certificate

parsing

elliptic curve

explicit encoding

parameters

patch

deprecated

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

Low

JSON

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.

OSVersionArchitecturePackageVersionFilename
Alpine3.19-mainnoarchbotan= 2.19.3-r5UNKNOWN
Alpine3.18-mainnoarchbotan= 2.19.3-r3UNKNOWN
Alpine3.17-mainnoarchbotan= 2.19.3-r0UNKNOWN