CVE-2024-39312: 
Botan vulnerability analysis and mitigation

Botan, a C++ cryptography library, was found to contain a vulnerability (CVE-2024-39312) related to X.509 certificate handling. The issue affects versions prior to 3.5.0 and 2.19.5, where a bug in parsing name constraint extensions in X.509 certificates caused the system to only check permitted subtrees while ignoring excluded subtrees when both were present (GitHub Advisory).

The vulnerability stems from improper certificate validation (CWE-295) in the handling of X.509 certificates. When processing certificates that identify elliptic curves using either an object identifier or explicit parameter encoding, the system fails to properly validate both permitted and excluded subtrees in name constraint extensions. The issue has been assigned a CVSS v3.1 score of 5.3 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

When exploited, this vulnerability allows certificates to be accepted even when they contain names that should be excluded by the excluded subtree, as long as they are permitted by the permitted subtree. This could potentially lead to unauthorized certificate acceptance and compromise the integrity of the certificate validation process (GitHub Advisory).

The vulnerability has been fixed in Botan versions 3.5.0 and 2.19.5. Users are advised to upgrade to these patched versions to address the security issue. No workarounds are available for unpatched versions (GitHub Advisory).