GHSA-m44j-cfrm-g8qc

Source

https://github.com/advisories/GHSA-m44j-cfrm-g8qc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m44j-cfrm-g8qc

Aliases

Related

Published

2024-05-14T15:32:54Z

Modified

2024-12-02T16:33:08.858488Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Bouncy Castle crafted signature and public key can be used to trigger an infinite loop

Details

An issue was discovered in Bouncy Castle Java Cryptography APIs starting in 1.73 and before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Database specific

{
    "nvd_published_at": "2024-05-14T15:21:53Z",
    "cwe_ids": [
        "CWE-835"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T20:22:06Z"
}

References

Affected packages

Maven / org.bouncycastle:bcprov-jdk18on

Package

Name: org.bouncycastle:bcprov-jdk18on; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk18on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.73

Fixed

1.78

Affected versions

1.*

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bcprov-jdk15to18

Package

Name: org.bouncycastle:bcprov-jdk15to18; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.73

Fixed

1.78

Affected versions

1.*

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bcprov-jdk14

Package

Name: org.bouncycastle:bcprov-jdk14; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.73

Fixed

1.78

Affected versions

1.*

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bctls-jdk18on

Package

Name: org.bouncycastle:bctls-jdk18on; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bctls-jdk18on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.73

Fixed

1.78

Affected versions

1.*

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bctls-jdk14

Package

Name: org.bouncycastle:bctls-jdk14; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bctls-jdk14

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.73

Fixed

1.78

Affected versions

1.*

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bctls-jdk15to18

Package

Name: org.bouncycastle:bctls-jdk15to18; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bctls-jdk15to18

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.73

Fixed

1.78

Affected versions

1.*

1.73

1.74

1.75

1.76

1.77

NuGet / BouncyCastle

Package

Name: BouncyCastle; View open source insights on deps.dev
Purl: pkg:nuget/BouncyCastle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.0

1.8.1

1.8.2

1.8.3

1.8.3.1

1.8.4

1.8.5

1.8.6

1.8.6.1

1.8.9

Database specific

{
    "last_known_affected_version_range": "< 2.3.1"
}

NuGet / BouncyCastle.Cryptography

Package

Name: BouncyCastle.Cryptography; View open source insights on deps.dev
Purl: pkg:nuget/BouncyCastle.Cryptography

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.1

Affected versions

2.*

2.0.0

2.1.0

2.1.1

2.2.0

2.2.1

2.3.0