GHSA-8xfc-gm6g-vgpv

Suggest an improvement
Source
https://github.com/advisories/GHSA-8xfc-gm6g-vgpv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8xfc-gm6g-vgpv
Aliases
Related
Published
2024-05-14T15:32:54Z
Modified
2024-12-06T15:48:32.838321Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.
Details

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Database specific 
{
    "nvd_published_at": "2024-05-14T15:17:02Z",
    "cwe_ids": [
        "CWE-125",
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T20:22:01Z"
}
References

Affected packages

Maven / org.bouncycastle:bcprov-jdk18on

Package

Name
org.bouncycastle:bcprov-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.71
1.71.1
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bcprov-jdk15on

Package

Name
org.bouncycastle:bcprov-jdk15on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.46
1.47
1.48
1.49
1.50
1.51
1.52
1.53
1.54
1.55
1.56
1.57
1.58
1.59
1.60
1.61
1.62
1.63
1.64
1.65
1.65.01
1.66
1.67
1.68
1.69
1.70

Maven / org.bouncycastle:bcprov-jdk15to18

Package

Name
org.bouncycastle:bcprov-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.63
1.64
1.65
1.66
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bcprov-jdk14

Package

Name
org.bouncycastle:bcprov-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.38
1.43
1.44
1.45
1.46
1.47
1.48
1.49
1.50
1.51
1.53
1.54
1.55
1.56
1.57
1.58
1.59
1.60
1.61
1.62
1.63
1.64
1.65
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bctls-jdk18on

Package

Name
org.bouncycastle:bctls-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.71
1.71.1
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bctls-jdk14

Package

Name
org.bouncycastle:bctls-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.61
1.62
1.63
1.64
1.65
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bctls-jdk15to18

Package

Name
org.bouncycastle:bctls-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.63
1.64
1.65
1.66
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bc-fips

Package

Name
org.bouncycastle:bc-fips
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bc-fips

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.2.5

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.2.1
1.0.2.3
1.0.2.4

NuGet / BouncyCastle

Package

Name
BouncyCastle
View open source insights on deps.dev
Purl
pkg:nuget/BouncyCastle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.0
1.8.1
1.8.2
1.8.3
1.8.3.1
1.8.4
1.8.5
1.8.6
1.8.6.1
1.8.9

Database specific 

{
    "last_known_affected_version_range": "< 2.3.1"
}

NuGet / BouncyCastle.Cryptography

Package

Name
BouncyCastle.Cryptography
View open source insights on deps.dev
Purl
pkg:nuget/BouncyCastle.Cryptography

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.1

Affected versions

2.*

2.0.0
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0