CVE-2024-39312

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Botan versions prior to 2.19.5 Botan versions prior to 3.5.0

Description: A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. This issue is related to the authentication procedure of the Botan C++ cryptography library.

Recommendations: For versions prior to 2.19.5, update to version 2.19.5 or later. For versions prior to 3.5.0, update to version 3.5.0 or later.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

AZL-43825

AZL-44286

BDU:2024-07775

CVE-2024-39312

GHSA-JP24-56JM-GG86

OESA-2024-1923

OESA-2024-1924

OESA-2024-1925

OPENSUSE-SU-2024:0201-1

OPENSUSE-SU-2024:14188-1

USN-7586-1

Affected Products

Botan

Debian

Linuxmint

Red Os

Ubuntu

CVE-2024-39312

Weakness Enumeration

Related Identifiers

Affected Products

References · 48