Login Sign Up

CVE-2024-34702

5.3 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in the Botan cryptography library allows denial-of-service attacks via quadratic complexity in X.509 certificate name constraint validation. Attackers can craft certificate chains with many SubjectAlternativeNames and name constraints to cause excessive CPU consumption. Systems using Botan for X.509 certificate processing are affected.

💻 Affected Systems

Products:
  • Botan cryptography library
Versions: All versions before 3.5.0 and 2.x before 2.19.5
Operating Systems: All platforms where Botan is used
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using Botan for X.509 certificate validation with name constraints is vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting all services relying on Botan for certificate validation.

🟠

Likely Case

Degraded performance or temporary service disruption during certificate validation of malicious chains.

🟢

If Mitigated

Minimal impact with proper rate limiting, input validation, and updated Botan versions.

🌐 Internet-Facing: MEDIUM - Attackers can potentially trigger DoS by presenting malicious certificates, but requires specific certificate chain construction.
🏢 Internal Only: LOW - Internal systems typically process trusted certificates, reducing attack surface.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific certificate chains with many names and constraints, which is non-trivial but documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Botan 3.5.0 or 2.19.5

Vendor Advisory: https://github.com/randombit/botan/security/advisories

Restart Required: Yes

Instructions:

1. Update Botan to version 3.5.0 or 2.19.5. 2. Recompile applications using Botan. 3. Restart affected services.

🔧 Temporary Workarounds

Limit certificate chain complexity

all

Configure applications to reject certificates with excessive SubjectAlternativeNames or name constraints

Application-specific configuration required

Rate limit certificate validation

all

Implement rate limiting on certificate validation endpoints

Application/network-specific configuration required

🧯 If You Can't Patch

  • Implement strict input validation to reject certificates with unusually large numbers of names or constraints
  • Deploy network-level protections like WAFs to filter malicious certificate traffic

🔍 How to Verify

Check if Vulnerable:

Check Botan version: botan version or check linked library version

Check Version:

botan version 2>&1 | grep -i version

Verify Fix Applied:

Verify Botan version is 3.5.0+ or 2.19.5+

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage during certificate validation
  • Certificate validation timeouts
  • Unusually large certificate chains in logs

Network Indicators:

  • Incoming connections presenting large certificate chains
  • Increased TLS handshake failures

SIEM Query:

source="application_logs" AND ("certificate validation" OR "X.509") AND ("timeout" OR "high cpu" OR "denial")

📊 Metadata

CVE ID: CVE-2024-34702
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-405
Published: July 8, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34702, you might also want to check these:

CVE-2025-42874 7.9

CVE-2025-42874 is a remote code execution vulnerability in SAP NetWeaver's Xcelsius remote service t...

Same vulnerability type (CWE-405)
CVE-2024-11187 7.5

This CVE describes a resource exhaustion vulnerability in BIND DNS servers where specially crafted z...

Same vulnerability type (CWE-405)
CVE-2026-0485 7.5

CVE-2026-0485 is a denial-of-service vulnerability in SAP BusinessObjects BI Platform that allows un...

Same vulnerability type (CWE-405)