Cyber Resilience

CVE-2024-34703

HighDDoS

Published: 30 June 2024

Published
30 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0020 42.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34703 is a high-severity Amplification (CWE-405) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 42.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit…

more

encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-770 CWE-405

Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.

addresses: CWE-405 CWE-770

Alternate services reduce the impact of amplification attacks that exhaust primary telecommunications resources.

addresses: CWE-405 CWE-770

Amplification attacks that exhaust the primary path are mitigated by the existence of an independent alternate path for command traffic.

addresses: CWE-770 CWE-405

Requires throttling and limits on resource allocation to prevent exhaustion.

addresses: CWE-770 CWE-405

Implements the missing limits and throttling on resource allocation that this weakness describes.

addresses: CWE-770

This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.

addresses: CWE-770

Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.

addresses: CWE-770

Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.

References