GHSA-6xx3-rg99-gc3p

Source

https://github.com/advisories/GHSA-6xx3-rg99-gc3p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6xx3-rg99-gc3p

Aliases

CVE-2020-15522

Related

Published

2021-08-13T15:22:31Z

Modified

2024-02-17T05:52:01.093029Z

Severity

5.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Timing based private key exposure in Bouncy Castle

Details

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

References

Affected packages

Maven / org.bouncycastle:bc-fips

Package

Name: org.bouncycastle:bc-fips; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bc-fips

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.2.1

Affected versions

1.*

1.0.0

1.0.1

1.0.2

Database specific

{
    "last_known_affected_version_range": "<= 1.0.2"
}

Maven / org.bouncycastle:bcprov-ext-jdk15on

Package

Name: org.bouncycastle:bcprov-ext-jdk15on; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk15on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.66

Affected versions

1.*

1.46

1.47

1.48

1.49

1.50

1.51

1.52

1.53

1.54

1.55

1.56

1.57

1.58

1.59

1.60

1.61

1.62

1.63

1.64

1.65

Maven / org.bouncycastle:bcprov-ext-jdk16

Package

Name: org.bouncycastle:bcprov-ext-jdk16; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk16

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.66

Affected versions

1.*

1.45

1.46

Maven / org.bouncycastle:bcprov-jdk14

Package

Name: org.bouncycastle:bcprov-jdk14; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.66

Affected versions

1.*

1.38

1.43

1.44

1.45

1.46

1.47

1.48

1.49

1.50

1.51

1.53

1.54

1.55

1.56

1.57

1.58

1.59

1.60

1.61

1.62

1.63

1.64

1.65

Maven / org.bouncycastle:bcprov-jdk15

Package

Name: org.bouncycastle:bcprov-jdk15; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk15

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.66

Affected versions

1.*

1.32

1.38

1.40

1.43

1.44

1.45

1.46

Maven / org.bouncycastle:bcprov-jdk15on

Package

Name: org.bouncycastle:bcprov-jdk15on; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk15on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.66

Affected versions

1.*

1.46

1.47

1.48

1.49

1.50

1.51

1.52

1.53

1.54

1.55

1.56

1.57

1.58

1.59

1.60

1.61

1.62

1.63

1.64

1.65

1.65.01

Maven / org.bouncycastle:bcprov-jdk15to18

Package

Name: org.bouncycastle:bcprov-jdk15to18; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.66

Affected versions

1.*

1.63

1.64

1.65

Maven / org.bouncycastle:bcprov-jdk16

Package

Name: org.bouncycastle:bcprov-jdk16; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk16

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.66

Affected versions

1.*

1.38

1.40

1.43

1.44

1.45

1.46

NuGet / BouncyCastle

Package

Name: BouncyCastle; View open source insights on deps.dev
Purl: pkg:nuget/BouncyCastle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.7

Affected versions

1.*

1.7.0

1.8.1

1.8.2

1.8.3

1.8.3.1

1.8.4

1.8.5

1.8.6

1.8.6.1