CVE-2018-9127
First published: Mon Apr 02 2018(Updated: )
Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard certificates and could accept certain certificates as valid for hostnames when, under RFC 6125 rules, they should not match. This only affects certificates issued to the same domain as the host, so to impersonate a host one must already have a wildcard certificate matching other hosts in the same domain. For example, b*.example.com would match some hostnames that do not begin with a 'b' character.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Botan Project Botan | >=2.2.0<=2.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-9127?
The severity of CVE-2018-9127 is critical.
Which versions of Botan are affected by CVE-2018-9127?
Botan versions 2.2.0 to 2.4.0 (fixed in 2.5.0) are affected by CVE-2018-9127.
How does CVE-2018-9127 affect wildcard certificates?
CVE-2018-9127 improperly handles wildcard certificates, allowing certain certificates to be accepted as valid for hostnames when they should not match under RFC 6125 rules.
What is the fix for CVE-2018-9127?
The fix for CVE-2018-9127 is to update to Botan version 2.5.0 or later.
Can CVE-2018-9127 be used to impersonate a host?
To impersonate a host using CVE-2018-9127, one must already have a certificate issued to the same domain as the host.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/botan project
- canonical/botan project botan
- version/botan project botan/2.2.0
- version/botan project botan/2.4.0