CVSS: 7.8EPSS: 0%CPEs: 16EXPL: 0CVE-2024-30171 – bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)
https://notcve.org/view.php?id=CVE-2024-30171
09 May 2024 — An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing. Se descubrió un problema en la API TLS Java de Bouncy Castle y en el proveedor JSSE anterior a la versión 1.78. Es posible que se produzcan fugas basadas en el tiempo en los protocolos de enlace basados en RSA debido al procesamiento de excepciones. A flaw was found in the Bouncy Castle Java cryptography APIs. • https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33202 – bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class
https://notcve.org/view.php?id=CVE-2023-33202
23 Nov 2023 — Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.) Bounc... • https://bouncycastle.org • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2020-15522 – bouncycastle: Timing issue within the EC math library
https://notcve.org/view.php?id=CVE-2020-15522
20 May 2021 — Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures. Bouncy Castle BC Java versiones anteriores a 1.66, BC C # .NET versiones anteriores a 1.8.7, BC-FJA versiones anteriores a 1.0.1.2, 1.0.2.1 y BC-FNA versiones anteriores a 1.0.1.1... • https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 9.8EPSS: 4%CPEs: 47EXPL: 0CVE-2018-1000613
https://notcve.org/view.php?id=CVE-2018-1000613
09 Jul 2018 — Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be pic... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •