Vulnerability CVE-2021-24115

Vulnerability Name:

CVE-2021-24115 (CCN-197146)

Assigned:

2020-12-21

Published:

2020-12-21

Updated:

2021-02-26

Summary:

In Botan before 2.17.3, constant-time computations are not used for certain decoding and encoding operations (base32, base58, base64, and hex).

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.8 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Other

References:

Source: MITRE
Type: CNA
CVE-2021-24115

Source: CCN
Type: Botan Web site
Botan

Source: CONFIRM
Type: Release Notes, Vendor Advisory
https://botan.randombit.net/news.html

Source: XF
Type: UNKNOWN
botan-cve202124115-unspecified(197146)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/randombit/botan/compare/2.17.2...2.17.3

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/randombit/botan/pull/2549

Source: CCN
Type: Packet Storm Security [11-17-2022]
Botan C++ Crypto Algorithms Library 2.19.3

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-24115

Vulnerable Configuration:

Configuration 1:

cpe:/a:botan_project:botan:*:*:*:*:*:*:*:* (Version < 2.17.3)

Configuration CCN 1:

cpe:/a:botan_project:botan:2.17.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:100367	P	(Important)	2021-12-17
oval:org.opensuse.security:def:103177	P	Security update for Botan (Important)	2021-05-25
oval:org.opensuse.security:def:96487	P	Security update for Botan (Important)	2021-05-25
oval:org.opensuse.security:def:11220	P	Security update for Botan (Important)	2021-05-25
oval:org.opensuse.security:def:109834	P	Security update for Botan (Important)	2021-05-25
oval:org.opensuse.security:def:96485	P	Security update for Botan (Important)	2021-05-22
oval:org.opensuse.security:def:111399	P	Security update for Botan (Important)	2021-05-22
oval:org.opensuse.security:def:11218	P	Security update for Botan (Important)	2021-05-22
oval:org.opensuse.security:def:107033	P	Security update for Botan (Important)	2021-05-22
oval:org.opensuse.security:def:109832	P	Security update for Botan (Important)	2021-05-22
oval:org.opensuse.security:def:93654	P	Security update for Botan (Important)	2021-05-22
oval:org.opensuse.security:def:103175	P	Security update for Botan (Important)	2021-05-22

BACK