Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00aDhmLTJ3dngtZ2c1d84AA7vg

Bouncy Castle Java Cryptography API vulnerable to DNS poisoning

An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

Permalink: https://github.com/advisories/GHSA-4h8f-2wvx-gg5w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00aDhmLTJ3dngtZ2c1d84AA7vg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 14 days ago
Updated: 3 days ago


Identifiers: GHSA-4h8f-2wvx-gg5w, CVE-2024-34447
References: Repository: https://github.com/bcgit/bc-java
Blast Radius: 0.0

Affected Packages

maven:org.bouncycastle:bcprov-jdk12
Dependent packages: 6
Dependent repositories: 20
Downloads:
Affected Version Ranges: >= 1.61, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk13
Affected Version Ranges: >= 1.61, < 1.78
Fixed in: 1.78
maven:org.bouncycastle:bcprov-jdk14
Dependent packages: 33
Dependent repositories: 201
Downloads:
Affected Version Ranges: >= 1.61, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15to18
Dependent packages: 187
Dependent repositories: 341
Downloads:
Affected Version Ranges: >= 1.61, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk18on
Dependent packages: 500
Dependent repositories: 920
Downloads:
Affected Version Ranges: >= 1.61, < 1.78
Fixed in: 1.78
All affected versions: 1.71.1
All unaffected versions: 1.78.1