Compiler-Induced Vulnerability in Botan Crypto Library by Randombit Affecting Specific GCC Versions
CVE-2024-50383

5.9MEDIUM

Key Information:

Vendor: Randombit
Status: Botan
Vendor: CVE Published:; 23 October 2024

What is CVE-2024-50383?

An issue has been identified in the Botan cryptography library that affects versions prior to 3.6.0, particularly when compiled with certain versions of GCC, notably 11.3.0, on MIPS and x86-i386 architectures. This vulnerability manifests as a secret-dependent operation in the donna128 implementation located in lib/utils/donna128.h. Under specific conditions, an addition operation can be skipped if a carry is not flagged, potentially compromising cryptographic integrity. This situation is critical for developers and organizations using Botan for sensitive applications, particularly in environments where 32-bit processors are still in operation.

References

https://github.com/randombit/botan/commit/53b0cfde580e86b...

https://github.com/randombit/botan/compare/3.5.0...3.6.0

https://arxiv.org/pdf/2410.13489

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 23, 2024

CVE-2024-50383 Data

JSON