Vulnerability Description
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aade
- https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b
- https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7
- https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aade
- https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b
- https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7
FAQ
What is CVE-2024-34703?
CVE-2024-34703 is a vulnerability with a CVSS score of 7.5 (HIGH). Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4,...
How severe is CVE-2024-34703?
CVE-2024-34703 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-34703?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.