CVE-2024-34703 — Asymmetric Resource Consumption (Amplification) in Botan

CWE-405 — Asymmetric Resource Consumption (Amplification)CWE-770 — Allocation of Resources Without Limits or Throttling5 documents4 sources

Severity

7.5HIGHNVD

OSV5.3

EPSS

0.2%

top 57.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Randombit Botan Botan Project Botan Debian Botan

Timeline

PublishedJun 30

Latest updateJun 23

Description

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to all…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/botan< botan 2.19.3+dfsg-1+deb12u1 (bookworm)

▶CVEListV5randombit/botan< 2.19.4+1

▶Debianbotan_project/botan< 2.19.3+dfsg-1+deb12u1+1

▶Ubuntubotan_project/botan< 2.19.1+dfsg-2ubuntu1+esm1+1

🔴Vulnerability Details

OSV

botan vulnerabilities↗2025-06-23

▶

OSV

CVE-2024-34703: Botan is a C++ cryptography library↗2024-06-30

▶

📋Vendor Advisories

Ubuntu

Botan vulnerabilities↗2025-06-23

▶

Debian

CVE-2024-34703: botan - Botan is a C++ cryptography library. X.509 certificates can identify elliptic cu...↗2024

▶