// For flags

CVE-2015-6644

bouncycastle: Information disclosure in GCMBlockCipher

Severity Score

3.3
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.

Bouncy Castle en Android en versiones anteriores a 5.1.1 LMY49F y 6.0 en versiones anteriores a 2016-01-01 permite a atacantes obtener información sensible a través de una aplicación manipulada, también conocida como error interno 24106146.

It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-08-21 CVE Reserved
  • 2016-01-06 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Google
Search vendor "Google"
 Android
Search vendor "Google" for product "Android"
 4.4.4
Search vendor "Google" for product "Android" and version "4.4.4"
-
Affected
Google
Search vendor "Google"
 Android
Search vendor "Google" for product "Android"
 5.0
Search vendor "Google" for product "Android" and version "5.0"
-
Affected
Google
Search vendor "Google"
 Android
Search vendor "Google" for product "Android"
 5.0.1
Search vendor "Google" for product "Android" and version "5.0.1"
-
Affected
Google
Search vendor "Google"
 Android
Search vendor "Google" for product "Android"
 5.0.2
Search vendor "Google" for product "Android" and version "5.0.2"
-
Affected
Google
Search vendor "Google"
 Android
Search vendor "Google" for product "Android"
 5.1.0
Search vendor "Google" for product "Android" and version "5.1.0"
-
Affected
Google
Search vendor "Google"
 Android
Search vendor "Google" for product "Android"
 5.1.1
Search vendor "Google" for product "Android" and version "5.1.1"
-
Affected
Google
Search vendor "Google"
 Android
Search vendor "Google" for product "Android"
 6.0
Search vendor "Google" for product "Android" and version "6.0"
-
Affected
Google
Search vendor "Google"
 Android
Search vendor "Google" for product "Android"
 6.0.1
Search vendor "Google" for product "Android" and version "6.0.1"
-
Affected