coppice-1.1.6-SNAPSHOT.jar: 14 vulnerabilities (highest severity is: 8.8) unreachable #6
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /aggregator/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - itext-2.1.5.jar
iText, a free Java-PDF library
Library home page: http://www.lowagie.com/iText/
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/lowagie/itext/2.1.5/itext-2.1.5.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
Publish Date: 2017-11-08
URL: CVE-2017-9096
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.0%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9096
Release Date: 2017-11-08
Fix Resolution: com.itextpdf:itextpdf:5.5.12
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
Publish Date: 2024-05-09
URL: CVE-2024-30172
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-m44j-cfrm-g8qc
Release Date: 2024-03-24
Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78, BouncyCastle.Cryptography - 2.3.1
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Publish Date: 2024-05-14
URL: CVE-2024-29857
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.bouncycastle.org/latest_releases.html
Release Date: 2024-05-09
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
Publish Date: 2018-06-04
URL: CVE-2016-1000343
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000343
Release Date: 2018-06-04
Fix Resolution: org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000344
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344
Release Date: 2018-06-04
Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
Publish Date: 2024-05-09
URL: CVE-2024-30171
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v435-xc8x-wvr9
Release Date: 2024-05-09
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
Publish Date: 2018-06-04
URL: CVE-2016-1000341
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341
Release Date: 2018-06-04
Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Publish Date: 2013-02-08
URL: CVE-2013-1624
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1624
Release Date: 2013-02-08
Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.48;org.bouncycastle:bcprov-jdk14:1.48
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
Publish Date: 2023-11-23
URL: CVE-2023-33202
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wjxj-5m7g-mg7q
Release Date: 2023-11-23
Fix Resolution: org.bouncycastle:bcprov-jdk14:1.73, org.bouncycastle:bcprov-jdk15to18: 1.73, org.bouncycastle:bcprov-jdk18on:1.73
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
Publish Date: 2023-07-05
URL: CVE-2023-33201
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-07-05
Fix Resolution: org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
Publish Date: 2018-06-04
URL: CVE-2016-1000339
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339
Release Date: 2018-06-04
Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type "BKS-V1" was introduced in 1.49. It should be noted that the use of "BKS-V1" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.
Publish Date: 2018-04-16
URL: CVE-2018-5382
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://vulners.com/cert/VU:306792
Release Date: 2018-04-16
Fix Resolution: org.bouncycastle:bcprov-ext-jdk14:1.47,org.bouncycastle:bcprov-ext-jdk15on:1.47,org.bouncycastle:bcprov-jdk14:1.47
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
Publish Date: 2018-06-04
URL: CVE-2016-1000346
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346
Release Date: 2018-06-04
Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56
Vulnerable Library - bcprov-jdk14-138.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /validation/coppice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Found in HEAD commit: 1d1619bc4a4bd8a08cadf806a20f497a501d5d59
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
Publish Date: 2018-06-04
URL: CVE-2016-1000345
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345
Release Date: 2018-06-04
Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56
The text was updated successfully, but these errors were encountered: