Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/583830?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/583830?format=api", "purl": "pkg:deb/debian/botan@2.17.3%2Bdfsg-2", "type": "deb", "namespace": "debian", "name": "botan", "version": "2.17.3+dfsg-2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.19.3+dfsg-1+deb12u1", "latest_non_vulnerable_version": "2.19.3+dfsg-1+deb12u1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96248?format=api", "vulnerability_id": "VCID-4813-s8rk-xqcz", "summary": "Botan before 3.6.0, when certain LLVM versions are used, has compiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-50382", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34778", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34828", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34855", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34731", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34775", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34802", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34807", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34768", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34743", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-50382" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50382", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50382" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://arxiv.org/pdf/2410.13489", "reference_id": "2410.13489", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:56:36Z/" } ], "url": "https://arxiv.org/pdf/2410.13489" }, { "reference_url": "https://github.com/randombit/botan/compare/3.5.0...3.6.0", "reference_id": "3.5.0...3.6.0", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:56:36Z/" } ], "url": "https://github.com/randombit/botan/compare/3.5.0...3.6.0" }, { "reference_url": "https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957", "reference_id": "53b0cfde580e86b03d0d27a488b6c134f662e957", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:56:36Z/" } ], "url": "https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957" }, { "reference_url": "https://news.ycombinator.com/item?id=41887153", "reference_id": "item?id=41887153", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:56:36Z/" } ], "url": "https://news.ycombinator.com/item?id=41887153" }, { "reference_url": "https://usn.ubuntu.com/7586-1/", "reference_id": "USN-7586-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7586-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/583831?format=api", "purl": "pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1" } ], "aliases": [ "CVE-2024-50382" ], "risk_score": 2.6, "exploitability": "0.5", "weighted_severity": "5.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4813-s8rk-xqcz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96156?format=api", "vulnerability_id": "VCID-9kx4-w9uw-vybp", "summary": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. A bug in the parsing of name constraint extensions in X.509 certificates meant that if the extension included both permitted subtrees and excluded subtrees, only the permitted subtree would be checked. If a certificate included a name which was permitted by the permitted subtree but also excluded by excluded subtree, it would be accepted. Fixed in versions 3.5.0 and 2.19.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39312", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51496", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51488", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51467", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51454", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51408", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51435", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51394", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51447", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00281", "scoring_system": "epss", "scoring_elements": "0.51445", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39312" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39312", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39312" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86", "reference_id": "GHSA-jp24-56jm-gg86", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T19:57:15Z/" } ], "url": "https://github.com/randombit/botan/security/advisories/GHSA-jp24-56jm-gg86" }, { "reference_url": "https://usn.ubuntu.com/7586-1/", "reference_id": "USN-7586-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7586-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/583831?format=api", "purl": "pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1" } ], "aliases": [ "CVE-2024-39312" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9kx4-w9uw-vybp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95296?format=api", "vulnerability_id": "VCID-9us9-jyfu-hqdg", "summary": "In Botan before 2.19.3, it is possible to forge OCSP responses due to a certificate verification error. This issue was introduced in Botan 1.11.34 (November 2016).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43705", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37405", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37421", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37386", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37359", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37492", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37516", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37345", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37396", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37409", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43705" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43705", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43705" }, { "reference_url": "https://github.com/randombit/botan/releases/tag/2.19.3", "reference_id": "2.19.3", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T19:21:03Z/" } ], "url": "https://github.com/randombit/botan/releases/tag/2.19.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43705", "reference_id": "CVE-2022-43705", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43705" }, { "reference_url": "https://github.com/randombit/botan/security/advisories/GHSA-4v9w-qvcq-6q7w", "reference_id": "GHSA-4v9w-qvcq-6q7w", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-25T19:21:03Z/" } ], "url": "https://github.com/randombit/botan/security/advisories/GHSA-4v9w-qvcq-6q7w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/583831?format=api", "purl": "pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1" } ], "aliases": [ "CVE-2022-43705", "GHSA-4v9w-qvcq-6q7w" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9us9-jyfu-hqdg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96099?format=api", "vulnerability_id": "VCID-sfcs-71wr-wbf4", "summary": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and name constraints. An attacker who presented a certificate chain which contained a very large number of names in the SubjectAlternativeName, signed by a CA certificate which contained a large number of name constraints, could cause a denial of service. The problem has been addressed in Botan 3.5.0 and a partial backport has also been applied and is included in Botan 2.19.5.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34702", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00449", "scoring_system": "epss", "scoring_elements": "0.63551", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00449", "scoring_system": "epss", "scoring_elements": "0.63615", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00449", "scoring_system": "epss", "scoring_elements": "0.63611", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00449", "scoring_system": "epss", "scoring_elements": "0.63627", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00449", "scoring_system": "epss", "scoring_elements": "0.63612", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00449", "scoring_system": "epss", "scoring_elements": "0.63595", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00449", "scoring_system": "epss", "scoring_elements": "0.63544", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00449", "scoring_system": "epss", "scoring_elements": "0.63578", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34702" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34702", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34702" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e", "reference_id": "21dccc8fef18c165ba3301d850ac61521f85637e", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e" }, { "reference_url": "https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac", "reference_id": "39535f13c322f56aa3da2f44b2b6abb8619a82ac", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac" }, { "reference_url": "https://github.com/randombit/botan/pull/4034", "reference_id": "4034", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/pull/4034" }, { "reference_url": "https://github.com/randombit/botan/pull/4045", "reference_id": "4045", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/pull/4045" }, { "reference_url": "https://github.com/randombit/botan/pull/4047", "reference_id": "4047", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/pull/4047" }, { "reference_url": "https://github.com/randombit/botan/pull/4052", "reference_id": "4052", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/pull/4052" }, { "reference_url": "https://github.com/randombit/botan/pull/4186", "reference_id": "4186", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/pull/4186" }, { "reference_url": "https://github.com/randombit/botan/pull/4187", "reference_id": "4187", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/pull/4187" }, { "reference_url": "https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1", "reference_id": "477822a2d10f02d8ba46c9d8a5132f25843f5cc1", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1" }, { "reference_url": "https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf", "reference_id": "7606d70d3a2ac7114476ec2651ca0243c4536fdf", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf" }, { "reference_url": "https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41", "reference_id": "c3264821b9f6286ee4e6e3e06826f6b7177e6d41", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41" }, { "reference_url": "https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8", "reference_id": "ff704b12e6fa351aaedd07bffdc91722e84586b8", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8" }, { "reference_url": "https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j", "reference_id": "GHSA-5gg9-hqpr-r58j", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T17:49:00Z/" } ], "url": "https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j" }, { "reference_url": "https://usn.ubuntu.com/7586-1/", "reference_id": "USN-7586-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7586-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/583831?format=api", "purl": "pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1" } ], "aliases": [ "CVE-2024-34702" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sfcs-71wr-wbf4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96100?format=api", "vulnerability_id": "VCID-vgqy-r4ed-4bcv", "summary": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34703", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42236", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.422", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42227", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42169", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42219", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42251", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42213", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00201", "scoring_system": "epss", "scoring_elements": "0.42186", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34703" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34703", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34703" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4", "reference_id": "08c404b23740babee1f6aa51b54e966029aadee4", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-02T14:55:26Z/" } ], "url": "https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4" }, { "reference_url": "https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a", "reference_id": "94e9154c143aa5264da6254a6a1be5bc66ee2b5a", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-02T14:55:26Z/" } ], "url": "https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a" }, { "reference_url": "https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7", "reference_id": "GHSA-w4g2-7m2h-7xj7", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-02T14:55:26Z/" } ], "url": "https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7" }, { "reference_url": "https://usn.ubuntu.com/7586-1/", "reference_id": "USN-7586-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7586-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/583831?format=api", "purl": "pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1" } ], "aliases": [ "CVE-2024-34703" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vgqy-r4ed-4bcv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/96249?format=api", "vulnerability_id": "VCID-w192-d7k6-h3a3", "summary": "Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-50383", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34753", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34693", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34732", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34728", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.347", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34656", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34779", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00173", "scoring_system": "epss", "scoring_elements": "0.38682", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00173", "scoring_system": "epss", "scoring_elements": "0.38634", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-50383" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50383", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50383" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086039", "reference_id": "1086039", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086039" }, { "reference_url": "https://arxiv.org/pdf/2410.13489", "reference_id": "2410.13489", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/" } ], "url": "https://arxiv.org/pdf/2410.13489" }, { "reference_url": "https://github.com/randombit/botan/compare/3.5.0...3.6.0", "reference_id": "3.5.0...3.6.0", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/" } ], "url": "https://github.com/randombit/botan/compare/3.5.0...3.6.0" }, { "reference_url": "https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957", "reference_id": "53b0cfde580e86b03d0d27a488b6c134f662e957", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/" } ], "url": "https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957" }, { "reference_url": "https://news.ycombinator.com/item?id=41887153", "reference_id": "item?id=41887153", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:53:31Z/" } ], "url": "https://news.ycombinator.com/item?id=41887153" }, { "reference_url": "https://usn.ubuntu.com/7586-1/", "reference_id": "USN-7586-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7586-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/583831?format=api", "purl": "pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1" } ], "aliases": [ "CVE-2024-50383" ], "risk_score": 2.6, "exploitability": "0.5", "weighted_severity": "5.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w192-d7k6-h3a3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11195?format=api", "vulnerability_id": "VCID-xffg-w6fz-yqfj", "summary": "Use of a Broken or Risky Cryptographic Algorithm\nThe ElGamal implementation in Botan, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-40529", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53363", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53242", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53265", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53291", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.5326", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53312", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53307", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53357", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53341", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53325", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-40529" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40529", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40529" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993840", "reference_id": "993840", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993840" }, { "reference_url": "https://security.archlinux.org/AVG-2362", "reference_id": "AVG-2362", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2362" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40529", "reference_id": "CVE-2021-40529", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40529" }, { "reference_url": "https://security.gentoo.org/glsa/202208-14", "reference_id": "GLSA-202208-14", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202208-14" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/583831?format=api", "purl": "pkg:deb/debian/botan@2.19.3%2Bdfsg-1%2Bdeb12u1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.19.3%252Bdfsg-1%252Bdeb12u1" } ], "aliases": [ "CVE-2021-40529" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xffg-w6fz-yqfj" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94671?format=api", "vulnerability_id": "VCID-32jb-t7zq-uyhe", "summary": "In Botan before 2.17.3, constant-time computations are not used for certain decoding and encoding operations (base32, base58, base64, and hex).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-24115", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72289", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72204", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72209", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72229", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72205", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72242", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72254", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72277", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.7226", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00711", "scoring_system": "epss", "scoring_elements": "0.72247", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-24115" }, { "reference_url": "https://botan.randombit.net/news.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://botan.randombit.net/news.html" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24115", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24115" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24115", "reference_id": "CVE-2021-24115", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24115" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/583830?format=api", "purl": "pkg:deb/debian/botan@2.17.3%2Bdfsg-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4813-s8rk-xqcz" }, { "vulnerability": "VCID-9kx4-w9uw-vybp" }, { "vulnerability": "VCID-9us9-jyfu-hqdg" }, { "vulnerability": "VCID-sfcs-71wr-wbf4" }, { "vulnerability": "VCID-vgqy-r4ed-4bcv" }, { "vulnerability": "VCID-w192-d7k6-h3a3" }, { "vulnerability": "VCID-xffg-w6fz-yqfj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.17.3%252Bdfsg-2" } ], "aliases": [ "CVE-2021-24115" ], "risk_score": 2.5, "exploitability": "0.5", "weighted_severity": "4.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-32jb-t7zq-uyhe" } ], "risk_score": "4.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/botan@2.17.3%252Bdfsg-2" }