CVE-2024-29857 (High) detected in bcprov-jdk15on-1.65.01.jar #384
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
This was referenced May 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2024-29857 - High Severity Vulnerability
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5+.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /vc-worker/pom.xml
Path to vulnerable library: /vc-worker/libs/bcprov-jdk15on-1.65.01.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.65.01/bcprov-jdk15on-1.65.01.jar
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Publish Date: 2024-05-09
URL: CVE-2024-29857
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.bouncycastle.org/latest_releases.html
Release Date: 2024-05-09
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78
⛑️ Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: