Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities found in org.bouncycastle:bcprov-jdk15on 1.59 #607

Open
ghardytest bot opened this issue Aug 30, 2019 · 0 comments
Open

Vulnerabilities found in org.bouncycastle:bcprov-jdk15on 1.59 #607

ghardytest bot opened this issue Aug 30, 2019 · 0 comments

Comments

@ghardytest
Copy link

ghardytest bot commented Aug 30, 2019

CVE-2018-1000180

Description: Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Discovery Date: 2019-07-23
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score: 5.0 Exploitability score: 10.0
Impact score: 2.9
Vendors
  • bouncycastle
  • redhat
  • debian
  • netapp
  • oracle
References

CVE-2018-1000613

Description: Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
Discovery Date: 2019-04-23
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score: 7.5 Exploitability score: 10.0
Impact score: 6.4
Vendors
  • bouncycastle
References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

0 participants