CVE-2017-2801 - OpenCVE

A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Botan Project	Botan

Configuration 1 [-]

cpe:2.3:a:botan_project:botan:2.0.1:*:*:*:*:*:*:*

References

Link	Resource
http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294	Exploit Mitigation Third Party Advisory VDB Entry
http://www.debian.org/security/2017/dsa-3939
http://www.securityfocus.com/bid/98106	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: talos

Published: 2017-05-24T14:00:00

Updated: 2022-04-19T18:22:26

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2801

JSON object: View

NVD Information

Status : Modified

Published: 2017-05-24T14:29:00.537

Modified: 2022-04-19T19:15:21.360

Link: CVE-2017-2801

JSON object: View

Redhat Information

No data.

CWE

CWE-125

{"containers": {"cna": {"affected": [{"product": "Botan", "vendor": "Randombit", "versions": [{"status": "affected", "version": "2.0.1"}]}], "datePublic": "2017-04-28T00:00:00", "descriptions": [{"lang": "en", "value": "A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Certificate validation bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T18:22:26", "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos"}, "references": [{"name": "98106", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/98106"}, {"name": "DSA-3939", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3939"}, {"tags": ["x_refsource_MISC"], "url": "http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "talos-cna@cisco.com", "ID": "CVE-2017-2801", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Botan", "version": {"version_data": [{"version_value": "2.0.1"}]}}]}, "vendor_name": "Randombit"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability."}]}, "impact": {"cvss": {"baseScore": 6.5, "baseSeverity": "Medium", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Certificate validation bypass"}]}]}, "references": {"reference_data": [{"name": "98106", "refsource": "BID", "url": "http://www.securityfocus.com/bid/98106"}, {"name": "DSA-3939", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3939"}, {"name": "http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294", "refsource": "MISC", "url": "http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294"}]}}}}, "cveMetadata": {"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "assignerShortName": "talos", "cveId": "CVE-2017-2801", "datePublished": "2017-05-24T14:00:00", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2022-04-19T18:22:26", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:botan_project:botan:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "9287361E-DC3A-4E80-BBA3-30D0419ACBC4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A programming error exists in a way Randombit Botan cryptographic library version 2.0.1 implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability."}, {"lang": "es", "value": "Existe un error de programaci\u00f3n en una manera en que la biblioteca criptogr\u00e1fica Randombit Botan versi\u00f3n 2.0.1, implementa comparaciones de cadenas x500 que podr\u00edan conllevar problemas de comprobaci\u00f3n de certificados y violarlos. Un certificado X509 especialmente dise\u00f1ado deber\u00eda entregarse al cliente o a la aplicaci\u00f3n del servidor para desencadenar esta vulnerabilidad."}], "id": "CVE-2017-2801", "lastModified": "2022-04-19T19:15:21.360", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.7, "source": "talos-cna@cisco.com", "type": "Secondary"}]}, "published": "2017-05-24T14:29:00.537", "references": [{"source": "talos-cna@cisco.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory", "VDB Entry"], "url": "http://talosintelligence.com/vulnerability_reports/TALOS-2017-0294"}, {"source": "talos-cna@cisco.com", "url": "http://www.debian.org/security/2017/dsa-3939"}, {"source": "talos-cna@cisco.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.securityfocus.com/bid/98106"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}