Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00aDhmLTJ3dngtZ2c1d84AA7vg
Bouncy Castle Java Cryptography API vulnerable to DNS poisoning
An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.
Permalink: https://github.com/advisories/GHSA-4h8f-2wvx-gg5wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00aDhmLTJ3dngtZ2c1d84AA7vg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 14 days ago
Updated: 3 days ago
Identifiers: GHSA-4h8f-2wvx-gg5w, CVE-2024-34447
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-34447
- https://www.bouncycastle.org/latest_releases.html
- https://github.com/bcgit/bc-java/issues/1656
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
- https://github.com/advisories/GHSA-4h8f-2wvx-gg5w
Blast Radius: 0.0
Affected Packages
maven:org.bouncycastle:bcprov-jdk12
Dependent packages: 6Dependent repositories: 20
Downloads:
Affected Version Ranges: >= 1.61, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk13
Affected Version Ranges: >= 1.61, < 1.78Fixed in: 1.78
maven:org.bouncycastle:bcprov-jdk14
Dependent packages: 33Dependent repositories: 201
Downloads:
Affected Version Ranges: >= 1.61, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15to18
Dependent packages: 187Dependent repositories: 341
Downloads:
Affected Version Ranges: >= 1.61, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk18on
Dependent packages: 500Dependent repositories: 920
Downloads:
Affected Version Ranges: >= 1.61, < 1.78
Fixed in: 1.78
All affected versions: 1.71.1
All unaffected versions: 1.78.1