CVE-2024-34703

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Botan versions prior to 2.19.4 and 3.3.0

Description The issue is related to the parsing of X.509 certificates with explicit encoding of elliptic curve parameters. An attacker can present a certificate with very large parameters, causing excessive computation when the parameter is checked to be prime. This can lead to a denial of service. The proof of concept used a 16Kbit prime for this purpose. Support for explicit encoding of elliptic curve parameters is deprecated in Botan.

Recommendations For versions prior to 2.19.4, update to version 2.19.4 or later to patch the issue. For versions prior to 3.3.0, update to version 3.3.0 or later to patch the issue. As a temporary workaround, consider restricting the use of explicit encoding of elliptic curve parameters until a patch is applied.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-405CWE-770

Related Identifiers

AZL-43708

AZL-44214

BDU:2024-06990

CVE-2024-34703

GHSA-W4G2-7M2H-7XJ7

MGASA-2024-0297

OESA-2024-1923

OESA-2024-1924

OESA-2024-1925

OPENSUSE-SU-2024:0201-1

OPENSUSE-SU-2024:14095-1

OPENSUSE-SU-2024:14188-1

SUSE-SU-2024:2415-1

SUSE-SU-2024_2415-1

USN-7586-1

Affected Products

Astra Linux

Botan

Debian

Linuxmint

Red Os

Suse

Ubuntu

CVE-2024-34703

Weakness Enumeration

Related Identifiers

Affected Products

References · 56