Ubuntu.comUB:CVE-2024-34703CVE-2024-34703
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.8%
Botan is a C++ cryptography library. X.509 certificates can identify
elliptic curves using either an object identifier or using explicit
encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker
could present an ECDSA X.509 certificate using explicit encoding where the
parameters are very large. The proof of concept used a 16Kbit prime for
this purpose. When parsing, the parameter is checked to be prime, causing
excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the
prime parameter of the elliptic curve to be at most 521 bits. No known
workarounds are available. Note that support for explicit encoding of
elliptic curve parameters is deprecated in Botan.
References
github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4
github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a
github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7
launchpad.net/bugs/cve/CVE-2024-34703
nvd.nist.gov/vuln/detail/CVE-2024-34703
security-tracker.debian.org/tracker/CVE-2024-34703
www.cve.org/CVERecord?id=CVE-2024-34703
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.8%