Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12NDM1LXhjOHgtd3ZyOc4AA76H
Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
Permalink: https://github.com/advisories/GHSA-v435-xc8x-wvr9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NDM1LXhjOHgtd3ZyOc4AA76H
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: about 1 month ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-v435-xc8x-wvr9, CVE-2024-30171
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-30171
- https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171
- https://www.bouncycastle.org/latest_releases.html
- https://github.com/bcgit/bc-csharp/commit/c984b8bfd8544dfc55dba91a02cbbbb9c580c217
- https://github.com/bcgit/bc-java/commit/d7d5e735abd64bf0f413f54fd9e495fc02400fb0
- https://github.com/bcgit/bc-java/commit/e0569dcb1dea9d421d84fc4c5c5688fe101afa2d
- https://security.netapp.com/advisory/ntap-20240614-0008
- https://github.com/advisories/GHSA-v435-xc8x-wvr9
Blast Radius: 26.2
Affected Packages
nuget:BouncyCastle.Cryptography
Dependent packages: 261Dependent repositories: 0
Downloads: 51,900,624 total
Affected Version Ranges: < 2.3.1
Fixed in: 2.3.1
All affected versions: 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0
All unaffected versions: 2.3.1, 2.4.0
nuget:BouncyCastle
Dependent packages: 306Dependent repositories: 0
Downloads: 64,132,888 total
Affected Version Ranges: < 2.3.1
No known fixed version
All affected versions: 1.7.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.9
maven:org.bouncycastle:bctls-jdk15to18
Dependent packages: 5Dependent repositories: 11
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bctls-jdk14
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bctls-jdk18on
Dependent packages: 12Dependent repositories: 47
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions: 1.71.1
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk14
Dependent packages: 33Dependent repositories: 201
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15to18
Dependent packages: 187Dependent repositories: 341
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15on
Dependent packages: 3,304Dependent repositories: 18,945
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions: 1.65.1
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk18on
Dependent packages: 500Dependent repositories: 920
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions: 1.71.1
All unaffected versions: 1.78.1
maven:org.bouncycastle:bctls-fips
Dependent packages: 8Dependent repositories: 125
Downloads:
Affected Version Ranges: < 1.0.19
Fixed in: 1.0.19
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.16, 1.0.17, 1.0.18
All unaffected versions: 1.0.19, 2.0.19