CVE-2023-33202
bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
Bouncy Castle para Java anterior a 1.73 contiene un posible problema de denegación de servicio (DoS) dentro de la clase Bouncy Castle org.bouncycastle.openssl.PEMParser. Esta clase analiza secuencias codificadas OpenSSL PEM que contienen certificados X.509, claves codificadas PKCS8 y objetos PKCS7. El análisis de un archivo que ha creado datos ASN.1 a través de PEMParser provoca un OutOfMemoryError, que puede permitir un ataque de denegación de servicio.
A flaw was found in Bouncy Castle for the Java pkix module, which is vulnerable to a potential Denial of Service (DoS) issue within the org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-05-18 CVE Reserved
- 2023-11-23 CVE Published
- 2024-01-02 EPSS Updated
- 2024-10-11 CVE Updated
- 2024-10-11 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
https://bouncycastle.org | Product | |
https://security.netapp.com/advisory/ntap-20240125-0001 |
URL | Date | SRC |
---|---|---|
https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 | 2024-10-11 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-33202 | 2024-05-30 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2251281 | 2024-05-30 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Bouncycastle Search vendor "Bouncycastle" | Bouncy Castle For Java Search vendor "Bouncycastle" for product "Bouncy Castle For Java" | < 1.73 Search vendor "Bouncycastle" for product "Bouncy Castle For Java" and version " < 1.73" | - |
Affected
|