AZL-44286

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-44286.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-44286

Upstream

CVE-2024-39312

Published

2024-07-08T17:15:11Z

Modified

2026-04-21T04:31:22.075246Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

CVE-2024-39312 affecting package botan2 2.14.0-2

Details

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-39312

Affected packages

Azure Linux:3 / botan2

Package

Name: botan2
Purl: pkg:rpm/azure-linux/botan2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.14.0-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-44286.json"