CVE-2024-34703

Description

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.

CVSS v3.1 Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness Type (CWE)

CWE-405 CWE-405

CWE-770 CWE-770

References

Other References

https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4 https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7 https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4 https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7

Frequently Asked Questions

What is CVE-2024-34703? +

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan. It has a CVSS v3.1 base score of 7.5 (HIGH).

How severe is CVE-2024-34703? +

CVE-2024-34703 has a CVSS v3.1 score of 7.5 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

How do I check if I'm vulnerable to CVE-2024-34703? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-53633 9.8

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a …

CVE-2024-56200 8.6

Altair is a fork of Misskey v12. Affected versions lack of request validation and lack of authentication in the image …

CVE-2025-42874 7.9

SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on …

CVE-2025-22166 7.5

This High severity DoS (Denial of Service) vulnerability was introduced in version 2.0 of Confluence Data Center. This DoS (Denial …

CVE-2025-8677 7.5

Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue …

CVE-2025-30204 7.5

golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, …