GHSA-8353-fgcr-xfhx

Suggest an improvement
Source
https://github.com/advisories/GHSA-8353-fgcr-xfhx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8353-fgcr-xfhx/GHSA-8353-fgcr-xfhx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8353-fgcr-xfhx
Aliases
Published
2022-05-14T02:14:04Z
Modified
2024-12-05T05:42:02.521197Z
Summary
Improper Input Validation in Bouncy Castle
Details

The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Database specific
{
    "nvd_published_at": "2013-02-08T19:55:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-08T18:59:52Z"
}
References

Affected packages

Maven / org.bouncycastle:bcprov-jdk15on

Package

Name
org.bouncycastle:bcprov-jdk15on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.48

Affected versions

1.*

1.46
1.47