CVE-2024-50383 — Vulnetix

CVE-2024-50383 PUBLISHED CVSS 5.900000095367432 MEDIUM

Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.)

EPSS 0.17% · 38.5th percentile

Risk Scores

CVSS 3.1

5.900000095367432

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.17%

38.5th percentile

Affected Products

Vendor	Product	Versions
botan_project	botan	0
n/a	n/a	n/a
botan_project	botan	0

Exploit Intelligence

https://arxiv.org/pdf/2410.13489 (nist-nvd)
https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957 (circl)
https://github.com/randombit/botan/compare/3.5.0...3.6.0 (circl)
https://news.ycombinator.com/item?id=41887153 (circl)

Timeline

Oct 23, 2024 CVE Published
Oct 23, 2024 Coalition ESS Score
Oct 24, 2024 EPSS Score
Oct 24, 2024 Coalition ESS Score
Oct 24, 2024 Coalition ESS Score
Oct 24, 2024 CVE Updated
Oct 25, 2024 Coalition ESS Score
Nov 11, 2024 EPSS Score
Nov 30, 2024 EPSS Score
Dec 19, 2024 EPSS Score
Jan 6, 2025 EPSS Score
Jan 25, 2025 EPSS Score

References

Open in Interactive Console →