GHSA-m44j-cfrm-g8qc

Source

https://github.com/advisories/GHSA-m44j-cfrm-g8qc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m44j-cfrm-g8qc

Aliases

Related

Published

2024-05-14T15:32:54Z

Modified

2024-11-05T21:49:48.835345Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Bouncy Castle crafted signature and public key can be used to trigger an infinite loop

Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

References

Affected packages

Maven / org.bouncycastle:bcprov-jdk18on

Package

Name: org.bouncycastle:bcprov-jdk18on; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk18on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.78

Affected versions

1.*

1.71

1.71.1

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bcprov-jdk15on

Package

Name: org.bouncycastle:bcprov-jdk15on; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk15on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.78

Affected versions

1.*

1.46

1.47

1.48

1.49

1.50

1.51

1.52

1.53

1.54

1.55

1.56

1.57

1.58

1.59

1.60

1.61

1.62

1.63

1.64

1.65

1.65.01

1.66

1.67

1.68

1.69

1.70

Maven / org.bouncycastle:bcprov-jdk15to18

Package

Name: org.bouncycastle:bcprov-jdk15to18; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.78

Affected versions

1.*

1.63

1.64

1.65

1.66

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bcprov-jdk14

Package

Name: org.bouncycastle:bcprov-jdk14; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.78

Affected versions

1.*

1.38

1.43

1.44

1.45

1.46

1.47

1.48

1.49

1.50

1.51

1.53

1.54

1.55

1.56

1.57

1.58

1.59

1.60

1.61

1.62

1.63

1.64

1.65

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bctls-jdk18on

Package

Name: org.bouncycastle:bctls-jdk18on; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bctls-jdk18on

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.78

Affected versions

1.*

1.71

1.71.1

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bctls-jdk14

Package

Name: org.bouncycastle:bctls-jdk14; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bctls-jdk14

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.78

Affected versions

1.*

1.61

1.62

1.63

1.64

1.65

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

Maven / org.bouncycastle:bctls-jdk15to18

Package

Name: org.bouncycastle:bctls-jdk15to18; View open source insights on deps.dev
Purl: pkg:maven/org.bouncycastle/bctls-jdk15to18

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.78

Affected versions

1.*

1.63

1.64

1.65

1.66

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

NuGet / BouncyCastle

Package

Name: BouncyCastle; View open source insights on deps.dev
Purl: pkg:nuget/BouncyCastle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.0

1.8.1

1.8.2

1.8.3

1.8.3.1

1.8.4

1.8.5

1.8.6

1.8.6.1

1.8.9

Database specific

{
    "last_known_affected_version_range": "< 2.3.1"
}

NuGet / BouncyCastle.Cryptography

Package

Name: BouncyCastle.Cryptography; View open source insights on deps.dev
Purl: pkg:nuget/BouncyCastle.Cryptography

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.1

Affected versions

2.*

2.0.0

2.1.0

2.1.1

2.2.0

2.2.1

2.3.0