CVE-2016-2850Improper Input Validation in Project Botan

CWE-20Improper Input Validation5 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 37.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Botan Project BotanFedoraproject Fedora
Timeline
PublishedMay 13
Latest updateMay 17

Description

Botan 1.11.x before 1.11.29 does not enforce TLS policy for (1) signature algorithms and (2) ECC curves, which allows remote attackers to conduct downgrade attacks via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

NVDbotan_project/botan29 versions+28

Also affects: Fedora 24

🔴Vulnerability Details

1
GHSA
GHSA-q2v2-6g2j-qv56: Botan 12022-05-17

💬Community

3
Bugzilla
CVE-2016-2849 CVE-2016-2850 botan: two issues fixed in 1.11.29 [epel-all]2016-04-27
Bugzilla
CVE-2016-2849 CVE-2016-2850 botan: two issues fixed in 1.11.29 [fedora-all]2016-04-27
Bugzilla
CVE-2016-2849 CVE-2016-2850 botan: two issues fixed in 1.11.292016-04-27