CRITICAL🇵🇱 Wersja polska

CVE-2018-9127

CVSS 9.8v3.0pub. 2018-04-02upd. 2024-11-21

Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard certificates and could accept certain certificates as valid for hostnames when, under RFC 6125 rules, they should not match. This only affects certificates issued to the same domain as the host, so to impersonate a host one must already have a wildcard certificate matching other hosts in the same domain. For example, b*.example.com would match some hostnames that do not begin with a 'b' character.

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Botan Project Botan

    APP
    Botan Project
    2.2.0 – 2.4.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-34580CRITICAL9.3PL ✓ten sam produkt

Botan: błędna weryfikacja certyfikatu umożliwia obejście łańcucha zaufania

CVE-2022-43705CRITICAL9.1ten sam produkt

In Botan before 2.19.3, it is possible to forge OCSP responses due to a certificate verification error. This i...

CVE-2021-24115CRITICAL9.8ten sam produkt

In Botan before 2.17.3, constant-time computations are not used for certain decoding and encoding operations (...

CVE-2016-6878CRITICAL9.8ten sam produkt

The Curve25519 code in botan before 1.11.31, on systems without a native 128-bit integer type, might allow att...

CVE-2015-7826CRITICAL9.8ten sam produkt

botan 1.11.x before 1.11.22 improperly handles wildcard matching against hostnames, which might allow remote a...