Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-39312

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5.

Published

2024-07-08T17:15:11.547

Last Modified

2025-04-11T14:09:48.327

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-295
Type: Primary
CWE-295

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	botan_project	botan	< 2.19.5	Yes
Application	botan_project	botan	< 3.5.0	Yes

References

https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86 Third Party Advisory ([email protected])
https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)