CVE-2018-9127

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2018-9127
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9127.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-9127
Downstream
Related
Published
2018-04-02T17:29:00Z
Modified
2025-10-14T16:35:30.181664Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard certificates and could accept certain certificates as valid for hostnames when, under RFC 6125 rules, they should not match. This only affects certificates issued to the same domain as the host, so to impersonate a host one must already have a wildcard certificate matching other hosts in the same domain. For example, b*.example.com would match some hostnames that do not begin with a 'b' character.

References

Affected packages

Git / github.com/randombit/botan

Affected ranges

Type
GIT
Repo
https://github.com/randombit/botan
Events
Introduced
33f87a596ffa1fcbc017d9593dce0906d7d32208
Last affected
1e93b85fb5a4d628b80a9812b38b842b5c8b4363

Affected versions

2.*

2.2.0
2.3.0
2.4.0