GHSA-4h8f-2wvx-gg5w

Source

https://github.com/advisories/GHSA-4h8f-2wvx-gg5w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4h8f-2wvx-gg5w

Aliases

Related

Published

2024-05-03T18:30:37Z

Modified

2024-12-01T05:52:02.966086Z

Summary

Bouncy Castle Java Cryptography API vulnerable to DNS poisoning

Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

Database specific

{
    "nvd_published_at": "2024-05-03T16:15:11Z",
    "cwe_ids": [],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-03T20:34:32Z"
}

References

Affected packages

Maven / org.bouncycastle:bcprov-jdk18on

Package

Name: org.bouncycastle:bcprov-jdk18on; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk18on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.61

Fixed

1.78

Affected versions

1.*

1.71

1.71.1

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bcprov-jdk15to18

Package

Name: org.bouncycastle:bcprov-jdk15to18; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.61

Fixed

1.78

Affected versions

1.*

1.63

1.64

1.65

1.66

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bcprov-jdk14

Package

Name: org.bouncycastle:bcprov-jdk14; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.61

Fixed

1.78

Affected versions

1.*

1.61

1.62

1.63

1.64

1.65

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bcprov-jdk13

Package

Name: org.bouncycastle:bcprov-jdk13; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk13

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.61

Fixed

1.78

Maven / org.bouncycastle:bcprov-jdk12

Package

Name: org.bouncycastle:bcprov-jdk12; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk12

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.61

Fixed

1.78