GHSA-v435-xc8x-wvr9

Suggest an improvement
Source
https://github.com/advisories/GHSA-v435-xc8x-wvr9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v435-xc8x-wvr9
Aliases
Downstream
Related
Published
2024-05-14T15:32:54Z
Modified
2024-10-22T05:28:59.209889Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")
Details

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

Database specific 
{
    "nvd_published_at": "2024-05-14T15:21:52Z",
    "github_reviewed_at": "2024-05-14T20:22:03Z",
    "cwe_ids": [
        "CWE-203"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Maven

org.bouncycastle:bctls-fips

Package

Name
org.bouncycastle:bctls-fips
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-fips

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.19

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.10.1
1.0.10.2
1.0.10.3
1.0.11
1.0.11.1
1.0.11.2
1.0.11.3
1.0.11.4
1.0.12
1.0.12.1
1.0.12.2
1.0.12.3
1.0.13
1.0.14
1.0.14.1
1.0.16
1.0.17
1.0.18

org.bouncycastle:bcprov-jdk18on

Package

Name
org.bouncycastle:bcprov-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.71
1.71.1
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bcprov-jdk15on

Package

Name
org.bouncycastle:bcprov-jdk15on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.46
1.47
1.48
1.49
1.50
1.51
1.52
1.53
1.54
1.55
1.56
1.57
1.58
1.59
1.60
1.61
1.62
1.63
1.64
1.65
1.65.01
1.66
1.67
1.68
1.69
1.70

org.bouncycastle:bcprov-jdk15to18

Package

Name
org.bouncycastle:bcprov-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.63
1.64
1.65
1.66
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bcprov-jdk14

Package

Name
org.bouncycastle:bcprov-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.38
1.43
1.44
1.45
1.46
1.47
1.48
1.49
1.50
1.51
1.53
1.54
1.55
1.56
1.57
1.58
1.59
1.60
1.61
1.62
1.63
1.64
1.65
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bctls-jdk18on

Package

Name
org.bouncycastle:bctls-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.71
1.71.1
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bctls-jdk14

Package

Name
org.bouncycastle:bctls-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.61
1.62
1.63
1.64
1.65
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

org.bouncycastle:bctls-jdk15to18

Package

Name
org.bouncycastle:bctls-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.63
1.64
1.65
1.66
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

NuGet

BouncyCastle

Package

Name
BouncyCastle
View open source insights on deps.dev
Purl
pkg:nuget/BouncyCastle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.0
1.8.1
1.8.2
1.8.3
1.8.3.1
1.8.4
1.8.5
1.8.6
1.8.6.1
1.8.9

Database specific

last_known_affected_version_range

"< 2.3.1"

BouncyCastle.Cryptography

Package

Name
BouncyCastle.Cryptography
View open source insights on deps.dev
Purl
pkg:nuget/BouncyCastle.Cryptography

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.1

Affected versions

2.*

2.0.0
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0