CVE-2024-34447

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-34447

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34447.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-34447

Aliases

Related

Published

2024-05-03T16:15:11Z

Modified

2025-06-17T20:58:05.172427Z

Summary

[none]

Details

An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

References

Affected packages

Debian:11 / bouncycastle

Package

Name: bouncycastle
Purl: pkg:deb/debian/bouncycastle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.68-2

1.68-3

1.68-4

1.68-5

1.69-1

1.71-1

1.72-1

1.72-2

1.77-1

1.80-1

1.80-2

1.80-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / bouncycastle

Package

Name: bouncycastle
Purl: pkg:deb/debian/bouncycastle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.72-2

1.77-1

1.80-1

1.80-2

1.80-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / bouncycastle

Package

Name: bouncycastle
Purl: pkg:deb/debian/bouncycastle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.80-1

Affected versions

1.*

1.72-2

1.77-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}