CVE-2024-50382 — Vulnetix

CVE-2024-50382 PUBLISHED CVSS 5.900000095367432 MEDIUM

Botan before 3.6.0, when certain LLVM versions are used, has compiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V.

EPSS 0.16% · 36.3th percentile

Risk Scores

CVSS 3.1

5.900000095367432

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.16%

36.3th percentile

Affected Products

Vendor	Product	Versions
botan_project	botan	0
botan_project	botan	0
n/a	n/a	n/a

Exploit Intelligence

https://arxiv.org/pdf/2410.13489 (nist-nvd)
https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957 (circl)
https://github.com/randombit/botan/compare/3.5.0...3.6.0 (circl)
https://news.ycombinator.com/item?id=41887153 (circl)

Timeline

Oct 23, 2024 CVE Published
Oct 24, 2024 EPSS Score
Oct 24, 2024 Coalition ESS Score
Oct 24, 2024 Coalition ESS Score
Oct 24, 2024 CVE Updated
Oct 25, 2024 Coalition ESS Score
Nov 11, 2024 EPSS Score
Nov 30, 2024 EPSS Score
Dec 19, 2024 EPSS Score
Jan 6, 2025 EPSS Score
Jan 25, 2025 EPSS Score
Feb 12, 2025 EPSS Score

References

Open in Interactive Console →