Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tNDRqLWNmcm0tZzhxY84AA76G
Bouncy Castle crafted signature and public key can be used to trigger an infinite loop
An issue was discovered in Bouncy Castle Java Cryptography APIs starting in 1.73 and before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
Permalink: https://github.com/advisories/GHSA-m44j-cfrm-g8qcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNDRqLWNmcm0tZzhxY84AA76G
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: about 1 month ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-m44j-cfrm-g8qc, CVE-2024-30172
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-30172
- https://www.bouncycastle.org/latest_releases.html
- https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030172
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030172
- https://security.netapp.com/advisory/ntap-20240614-0007
- https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49
- https://github.com/bcgit/bc-java/commit/ebe1c75579170072dc59b8dee2b55ce31663178f
- https://github.com/bcgit/bc-java/commit/1b9fd9b545e691bfb3941a9f6a797660c8860f02
- https://github.com/advisories/GHSA-m44j-cfrm-g8qc
Blast Radius: 16.7
Affected Packages
maven:org.bouncycastle:bctls-jdk15to18
Dependent packages: 5Dependent repositories: 11
Downloads:
Affected Version Ranges: >= 1.73, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bctls-jdk14
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: >= 1.73, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bctls-jdk18on
Dependent packages: 12Dependent repositories: 47
Downloads:
Affected Version Ranges: >= 1.73, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.71.1, 1.78.1
maven:org.bouncycastle:bcprov-jdk14
Dependent packages: 33Dependent repositories: 201
Downloads:
Affected Version Ranges: >= 1.73, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15to18
Dependent packages: 187Dependent repositories: 341
Downloads:
Affected Version Ranges: >= 1.73, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk18on
Dependent packages: 500Dependent repositories: 920
Downloads:
Affected Version Ranges: >= 1.73, < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.71.1, 1.78.1
nuget:BouncyCastle.Cryptography
Dependent packages: 261Dependent repositories: 0
Downloads: 73,010,097 total
Affected Version Ranges: < 2.3.1
Fixed in: 2.3.1
All affected versions: 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0
All unaffected versions: 2.3.1, 2.4.0, 2.5.0
nuget:BouncyCastle
Dependent packages: 306Dependent repositories: 0
Downloads: 66,912,809 total
Affected Version Ranges: < 2.3.1
No known fixed version
All affected versions: 1.7.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.9