CVE-2024-34447

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-34447
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34447.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-34447
Aliases
Related
Published
2024-05-03T16:15:11Z
Modified
2025-06-17T20:58:05.172427Z
Summary
[none]
Details

An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

References

Affected packages

Debian:11 / bouncycastle

Package

Name
bouncycastle
Purl
pkg:deb/debian/bouncycastle?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.68-2
1.68-3
1.68-4
1.68-5
1.69-1
1.71-1
1.72-1
1.72-2
1.77-1
1.80-1
1.80-2
1.80-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / bouncycastle

Package

Name
bouncycastle
Purl
pkg:deb/debian/bouncycastle?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.72-2
1.77-1
1.80-1
1.80-2
1.80-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / bouncycastle

Package

Name
bouncycastle
Purl
pkg:deb/debian/bouncycastle?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.80-1

Affected versions

1.*

1.72-2
1.77-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}