Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/botan@2.17.3%2Bdfsg-2

Type deb

Namespace debian

Name botan

Version 2.17.3+dfsg-2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.19.3+dfsg-1+deb12u1

Latest_non_vulnerable_version 2.19.3+dfsg-1+deb12u1

Affected_by_vulnerabilities

url VCID-4813-s8rk-xqcz

vulnerability_id VCID-4813-s8rk-xqcz

summary Botan before 3.6.0, when certain LLVM versions are used, has compiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-50382

reference_id

reference_type

scores

value	0.00144
scoring_system	epss
scoring_elements	0.34723
published_at	2026-04-21T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34855
published_at	2026-04-04T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34731
published_at	2026-04-07T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34775
published_at	2026-04-08T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34802
published_at	2026-04-09T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34807
published_at	2026-04-11T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34768
published_at	2026-04-12T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34743
published_at	2026-04-13T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34778
published_at	2026-04-16T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34764
published_at	2026-04-18T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34828
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-50382

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50382
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50382

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://arxiv.org/pdf/2410.13489

reference_id

2410.13489

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:56:36Z/

url

https://arxiv.org/pdf/2410.13489

reference_url

https://github.com/randombit/botan/compare/3.5.0...3.6.0

reference_id

3.5.0...3.6.0

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:56:36Z/

url

https://github.com/randombit/botan/compare/3.5.0...3.6.0

reference_url

https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957

reference_id

53b0cfde580e86b03d0d27a488b6c134f662e957

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:56:36Z/

url

https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957

reference_url

https://news.ycombinator.com/item?id=41887153

reference_id

item?id=41887153

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:56:36Z/

url

https://news.ycombinator.com/item?id=41887153

reference_url	https://usn.ubuntu.com/7586-1/
reference_id	USN-7586-1
reference_type
scores
url	https://usn.ubuntu.com/7586-1/

fixed_packages

url	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
purl	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1

aliases CVE-2024-50382

risk_score 2.6

exploitability 0.5

weighted_severity 5.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4813-s8rk-xqcz

url VCID-9kx4-w9uw-vybp

vulnerability_id VCID-9kx4-w9uw-vybp

summary Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-39312

reference_id

reference_type

scores

value	0.00281
scoring_system	epss
scoring_elements	0.51482
published_at	2026-04-21T12:55:00Z

value	0.00281
scoring_system	epss
scoring_elements	0.51454
published_at	2026-04-13T12:55:00Z

value	0.00281
scoring_system	epss
scoring_elements	0.51496
published_at	2026-04-16T12:55:00Z

value	0.00281
scoring_system	epss
scoring_elements	0.51504
published_at	2026-04-18T12:55:00Z

value	0.00281
scoring_system	epss
scoring_elements	0.51408
published_at	2026-04-02T12:55:00Z

value	0.00281
scoring_system	epss
scoring_elements	0.51435
published_at	2026-04-04T12:55:00Z

value	0.00281
scoring_system	epss
scoring_elements	0.51394
published_at	2026-04-07T12:55:00Z

value	0.00281
scoring_system	epss
scoring_elements	0.51447
published_at	2026-04-08T12:55:00Z

value	0.00281
scoring_system	epss
scoring_elements	0.51445
published_at	2026-04-09T12:55:00Z

value	0.00281
scoring_system	epss
scoring_elements	0.51488
published_at	2026-04-11T12:55:00Z

value	0.00281
scoring_system	epss
scoring_elements	0.51467
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-39312

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39312
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39312

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86

reference_id

GHSA-jp24-56jm-gg86

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T19:57:15Z/

url

https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86

reference_url	https://usn.ubuntu.com/7586-1/
reference_id	USN-7586-1
reference_type
scores
url	https://usn.ubuntu.com/7586-1/

fixed_packages

url	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
purl	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1

aliases CVE-2024-39312

risk_score 2.4

exploitability 0.5

weighted_severity 4.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9kx4-w9uw-vybp

url VCID-9us9-jyfu-hqdg

vulnerability_id VCID-9us9-jyfu-hqdg

summary In Botan before 2.19.3, it is possible to forge OCSP responses due to a certificate verification error. This issue was introduced in Botan 1.11.34 (November 2016).

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-43705

reference_id

reference_type

scores

value	0.00164
scoring_system	epss
scoring_elements	0.37331
published_at	2026-04-21T12:55:00Z

value	0.00164
scoring_system	epss
scoring_elements	0.37359
published_at	2026-04-13T12:55:00Z

value	0.00164
scoring_system	epss
scoring_elements	0.37405
published_at	2026-04-16T12:55:00Z

value	0.00164
scoring_system	epss
scoring_elements	0.37387
published_at	2026-04-18T12:55:00Z

value	0.00164
scoring_system	epss
scoring_elements	0.37492
published_at	2026-04-02T12:55:00Z

value	0.00164
scoring_system	epss
scoring_elements	0.37516
published_at	2026-04-04T12:55:00Z

value	0.00164
scoring_system	epss
scoring_elements	0.37345
published_at	2026-04-07T12:55:00Z

value	0.00164
scoring_system	epss
scoring_elements	0.37396
published_at	2026-04-08T12:55:00Z

value	0.00164
scoring_system	epss
scoring_elements	0.37409
published_at	2026-04-09T12:55:00Z

value	0.00164
scoring_system	epss
scoring_elements	0.37421
published_at	2026-04-11T12:55:00Z

value	0.00164
scoring_system	epss
scoring_elements	0.37386
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-43705

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43705
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43705

reference_url

https://github.com/randombit/botan/releases/tag/2.19.3

reference_id

2.19.3

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T19:21:03Z/

url

https://github.com/randombit/botan/releases/tag/2.19.3

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2022-43705
reference_id	CVE-2022-43705
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2022-43705

reference_url

https://github.com/randombit/botan/security/advisories/GHSA-4v9w-qvcq-6q7w

reference_id

GHSA-4v9w-qvcq-6q7w

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T19:21:03Z/

url

https://github.com/randombit/botan/security/advisories/GHSA-4v9w-qvcq-6q7w

fixed_packages

url	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
purl	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1

aliases CVE-2022-43705, GHSA-4v9w-qvcq-6q7w

risk_score 4.1

exploitability 0.5

weighted_severity 8.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9us9-jyfu-hqdg

url VCID-sfcs-71wr-wbf4

vulnerability_id VCID-sfcs-71wr-wbf4

summary Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and name constraints. An attacker who presented a certificate chain which contained a very large number of names in the SubjectAlternativeName, signed by a CA certificate which contained a large number of name constraints, could cause a denial of service. The problem has been addressed in Botan 3.5.0 and a partial backport has also been applied and is included in Botan 2.19.5.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-34702

reference_id

reference_type

scores

value	0.00449
scoring_system	epss
scoring_elements	0.63551
published_at	2026-04-02T12:55:00Z

value	0.00449
scoring_system	epss
scoring_elements	0.63606
published_at	2026-04-21T12:55:00Z

value	0.00449
scoring_system	epss
scoring_elements	0.63623
published_at	2026-04-18T12:55:00Z

value	0.00449
scoring_system	epss
scoring_elements	0.63615
published_at	2026-04-16T12:55:00Z

value	0.00449
scoring_system	epss
scoring_elements	0.63611
published_at	2026-04-12T12:55:00Z

value	0.00449
scoring_system	epss
scoring_elements	0.63627
published_at	2026-04-11T12:55:00Z

value	0.00449
scoring_system	epss
scoring_elements	0.63612
published_at	2026-04-09T12:55:00Z

value	0.00449
scoring_system	epss
scoring_elements	0.63595
published_at	2026-04-08T12:55:00Z

value	0.00449
scoring_system	epss
scoring_elements	0.63544
published_at	2026-04-07T12:55:00Z

value	0.00449
scoring_system	epss
scoring_elements	0.63578
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-34702

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34702
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34702

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e

reference_id

21dccc8fef18c165ba3301d850ac61521f85637e

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e

reference_url

https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac

reference_id

39535f13c322f56aa3da2f44b2b6abb8619a82ac

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac

reference_url

https://github.com/randombit/botan/pull/4034

reference_id

4034

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/pull/4034

reference_url

https://github.com/randombit/botan/pull/4045

reference_id

4045

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/pull/4045

reference_url

https://github.com/randombit/botan/pull/4047

reference_id

4047

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/pull/4047

reference_url

https://github.com/randombit/botan/pull/4052

reference_id

4052

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/pull/4052

reference_url

https://github.com/randombit/botan/pull/4186

reference_id

4186

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/pull/4186

reference_url

https://github.com/randombit/botan/pull/4187

reference_id

4187

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/pull/4187

reference_url

https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1

reference_id

477822a2d10f02d8ba46c9d8a5132f25843f5cc1

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1

reference_url

https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf

reference_id

7606d70d3a2ac7114476ec2651ca0243c4536fdf

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf

reference_url

https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41

reference_id

c3264821b9f6286ee4e6e3e06826f6b7177e6d41

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41

reference_url

https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8

reference_id

ff704b12e6fa351aaedd07bffdc91722e84586b8

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8

reference_url

https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j

reference_id

GHSA-5gg9-hqpr-r58j

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/

url

https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j

reference_url	https://usn.ubuntu.com/7586-1/
reference_id	USN-7586-1
reference_type
scores
url	https://usn.ubuntu.com/7586-1/

fixed_packages

url	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
purl	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1

aliases CVE-2024-34702

risk_score 2.4

exploitability 0.5

weighted_severity 4.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sfcs-71wr-wbf4

url VCID-vgqy-r4ed-4bcv

vulnerability_id VCID-vgqy-r4ed-4bcv

summary Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-34703

reference_id

reference_type

scores

value	0.00201
scoring_system	epss
scoring_elements	0.42143
published_at	2026-04-21T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.42169
published_at	2026-04-07T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.42219
published_at	2026-04-08T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.42251
published_at	2026-04-11T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.42213
published_at	2026-04-12T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.42186
published_at	2026-04-13T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.42236
published_at	2026-04-16T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.42212
published_at	2026-04-18T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.422
published_at	2026-04-02T12:55:00Z

value	0.00201
scoring_system	epss
scoring_elements	0.42227
published_at	2026-04-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-34703

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34703
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34703

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4

reference_id

08c404b23740babee1f6aa51b54e966029aadee4

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-02T14:55:26Z/

url

https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4

reference_url

https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a

reference_id

94e9154c143aa5264da6254a6a1be5bc66ee2b5a

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-02T14:55:26Z/

url

https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a

reference_url

https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7

reference_id

GHSA-w4g2-7m2h-7xj7

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-02T14:55:26Z/

url

https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7

reference_url	https://usn.ubuntu.com/7586-1/
reference_id	USN-7586-1
reference_type
scores
url	https://usn.ubuntu.com/7586-1/

fixed_packages

url	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
purl	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1

aliases CVE-2024-34703

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vgqy-r4ed-4bcv

url VCID-w192-d7k6-h3a3

vulnerability_id VCID-w192-d7k6-h3a3

summary Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.)

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-50383

reference_id

reference_type

scores

value	0.00144
scoring_system	epss
scoring_elements	0.34753
published_at	2026-04-02T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34693
published_at	2026-04-12T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34732
published_at	2026-04-11T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34728
published_at	2026-04-09T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.347
published_at	2026-04-08T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34656
published_at	2026-04-07T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34779
published_at	2026-04-04T12:55:00Z

value	0.00173
scoring_system	epss
scoring_elements	0.38582
published_at	2026-04-21T12:55:00Z

value	0.00173
scoring_system	epss
scoring_elements	0.38634
published_at	2026-04-13T12:55:00Z

value	0.00173
scoring_system	epss
scoring_elements	0.38682
published_at	2026-04-16T12:55:00Z

value	0.00173
scoring_system	epss
scoring_elements	0.3866
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-50383

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50383
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50383

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086039
reference_id	1086039
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086039

reference_url

https://arxiv.org/pdf/2410.13489

reference_id

2410.13489

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/

url

https://arxiv.org/pdf/2410.13489

reference_url

https://github.com/randombit/botan/compare/3.5.0...3.6.0

reference_id

3.5.0...3.6.0

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/

url

https://github.com/randombit/botan/compare/3.5.0...3.6.0

reference_url

https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957

reference_id

53b0cfde580e86b03d0d27a488b6c134f662e957

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/

url

https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957

reference_url

https://news.ycombinator.com/item?id=41887153

reference_id

item?id=41887153

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/

url

https://news.ycombinator.com/item?id=41887153

reference_url	https://usn.ubuntu.com/7586-1/
reference_id	USN-7586-1
reference_type
scores
url	https://usn.ubuntu.com/7586-1/

fixed_packages

url	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
purl	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1

aliases CVE-2024-50383

risk_score 2.6

exploitability 0.5

weighted_severity 5.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w192-d7k6-h3a3

url VCID-xffg-w6fz-yqfj

vulnerability_id VCID-xffg-w6fz-yqfj

summary

Use of a Broken or Risky Cryptographic Algorithm
The ElGamal implementation in Botan, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-40529

reference_id

reference_type

scores

value	0.003
scoring_system	epss
scoring_elements	0.53348
published_at	2026-04-21T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53242
published_at	2026-04-01T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53265
published_at	2026-04-02T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53291
published_at	2026-04-04T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.5326
published_at	2026-04-07T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53312
published_at	2026-04-08T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53307
published_at	2026-04-09T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53357
published_at	2026-04-11T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53341
published_at	2026-04-12T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53325
published_at	2026-04-13T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53363
published_at	2026-04-16T12:55:00Z

value	0.003
scoring_system	epss
scoring_elements	0.53368
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-40529

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40529
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40529

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993840
reference_id	993840
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993840

reference_url

https://security.archlinux.org/AVG-2362

reference_id

AVG-2362

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2362

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2021-40529
reference_id	CVE-2021-40529
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2021-40529

reference_url	https://security.gentoo.org/glsa/202208-14
reference_id	GLSA-202208-14
reference_type
scores
url	https://security.gentoo.org/glsa/202208-14

fixed_packages

url	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
purl	pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1

aliases CVE-2021-40529

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xffg-w6fz-yqfj

Fixing_vulnerabilities

url VCID-32jb-t7zq-uyhe

vulnerability_id VCID-32jb-t7zq-uyhe

summary In Botan before 2.17.3, constant-time computations are not used for certain decoding and encoding operations (base32, base58, base64, and hex).

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-24115

reference_id

reference_type

scores

value	0.00711
scoring_system	epss
scoring_elements	0.72286
published_at	2026-04-21T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.72204
published_at	2026-04-01T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.72209
published_at	2026-04-02T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.72229
published_at	2026-04-04T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.72205
published_at	2026-04-07T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.72242
published_at	2026-04-08T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.72254
published_at	2026-04-09T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.72277
published_at	2026-04-11T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.7226
published_at	2026-04-12T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.72247
published_at	2026-04-13T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.72289
published_at	2026-04-16T12:55:00Z

value	0.00711
scoring_system	epss
scoring_elements	0.72298
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-24115

reference_url	https://botan.randombit.net/news.html
reference_id
reference_type
scores
url	https://botan.randombit.net/news.html

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24115
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24115

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2021-24115
reference_id	CVE-2021-24115
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2021-24115

fixed_packages

url pkg:deb/debian/botan@2.17.3%2Bdfsg-2

purl pkg:deb/debian/botan@2.17.3%2Bdfsg-2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4813-s8rk-xqcz

vulnerability	VCID-9kx4-w9uw-vybp

vulnerability	VCID-9us9-jyfu-hqdg

vulnerability	VCID-sfcs-71wr-wbf4

vulnerability	VCID-vgqy-r4ed-4bcv

vulnerability	VCID-w192-d7k6-h3a3

vulnerability	VCID-xffg-w6fz-yqfj

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.17.3%252Bdfsg-2

aliases CVE-2021-24115

risk_score 2.5

exploitability 0.5

weighted_severity 4.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-32jb-t7zq-uyhe

Risk_score 4.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.17.3%252Bdfsg-2

Package Instance