GHSA-4h8f-2wvx-gg5w

Source

https://github.com/advisories/GHSA-4h8f-2wvx-gg5w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json

Aliases

CVE-2024-34447

Published

2024-05-03T18:30:37Z

Modified

2024-05-14T20:06:13.945978Z

Summary

Bouncy Castle Java Cryptography API vulnerable to DNS poisoning

Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

References

Affected packages

Maven / org.bouncycastle:bcprov-jdk18on

Package

Name: org.bouncycastle:bcprov-jdk18on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.61

Fixed

1.78

Affected versions

1.*

1.71

1.71.1

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bcprov-jdk15to18

Package

Name: org.bouncycastle:bcprov-jdk15to18

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.61

Fixed

1.78

Affected versions

1.*

1.63

1.64

1.65

1.66

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bcprov-jdk14

Package

Name: org.bouncycastle:bcprov-jdk14

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.61

Fixed

1.78

Affected versions

1.*

1.61

1.62

1.63

1.64

1.65

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bcprov-jdk13

Package

Name: org.bouncycastle:bcprov-jdk13

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.61

Fixed

1.78

Maven / org.bouncycastle:bcprov-jdk12

Package

Name: org.bouncycastle:bcprov-jdk12

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.61

Fixed

1.78