Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04eGZjLWdtNmctdmdwds4AA75b

Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Permalink: https://github.com/advisories/GHSA-8xfc-gm6g-vgpv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04eGZjLWdtNmctdmdwds4AA75b
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: about 1 month ago


CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Identifiers: GHSA-8xfc-gm6g-vgpv, CVE-2024-29857
References: Repository: https://github.com/bcgit/bc-csharp
Blast Radius: 23.7

Affected Packages

nuget:BouncyCastle.Cryptography
Dependent packages: 261
Dependent repositories: 0
Downloads: 73,010,097 total
Affected Version Ranges: < 2.3.1
Fixed in: 2.3.1
All affected versions: 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0
All unaffected versions: 2.3.1, 2.4.0, 2.5.0
nuget:BouncyCastle
Dependent packages: 306
Dependent repositories: 0
Downloads: 66,912,809 total
Affected Version Ranges: < 2.3.1
No known fixed version
All affected versions: 1.7.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.9
maven:org.bouncycastle:bc-fips
Dependent packages: 50
Dependent repositories: 550
Downloads:
Affected Version Ranges: < 1.0.2.5
Fixed in: 1.0.2.5
All affected versions:
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 2.0.0
maven:org.bouncycastle:bctls-jdk15to18
Dependent packages: 5
Dependent repositories: 11
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bctls-jdk14
Dependent packages: 0
Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bctls-jdk18on
Dependent packages: 12
Dependent repositories: 47
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions: 1.71.1
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk14
Dependent packages: 33
Dependent repositories: 201
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15to18
Dependent packages: 187
Dependent repositories: 341
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15on
Dependent packages: 3,304
Dependent repositories: 18,945
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions: 1.65.1
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk18on
Dependent packages: 500
Dependent repositories: 920
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions: 1.71.1
All unaffected versions: 1.78.1