CVE-2015-7826 — Improper Certificate Validation in Project Botan

CWE-295 — Improper Certificate Validation3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 37.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Botan Project Botan

Timeline

PublishedApr 10

Latest updateMay 17

Description

botan 1.11.x before 1.11.22 improperly handles wildcard matching against hostnames, which might allow remote attackers to have unspecified impact via a valid X.509 certificate, as demonstrated by accepting *.example.com as a match for bar.foo.example.com.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDbotan_project/botan1.11.21

🔴Vulnerability Details

GHSA

GHSA-hh32-7934-r8mp: botan 1↗2022-05-17

▶

💬Community

Bugzilla

CVE-2015-7826 botan: acceptance of invalid certificate names↗2016-02-24

▶