Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tNDRqLWNmcm0tZzhxY84AA76G

Bouncy Castle crafted signature and public key can be used to trigger an infinite loop

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Permalink: https://github.com/advisories/GHSA-m44j-cfrm-g8qc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNDRqLWNmcm0tZzhxY84AA76G
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 months ago
Updated: about 1 month ago


CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Identifiers: GHSA-m44j-cfrm-g8qc, CVE-2024-30172
References: Repository: https://github.com/bcgit/bc-csharp
Blast Radius: 23.7

Affected Packages

nuget:BouncyCastle.Cryptography
Dependent packages: 261
Dependent repositories: 0
Downloads: 34,639,751 total
Affected Version Ranges: < 2.3.1
Fixed in: 2.3.1
All affected versions: 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0
All unaffected versions: 2.3.1, 2.4.0
nuget:BouncyCastle
Dependent packages: 306
Dependent repositories: 0
Downloads: 60,652,083 total
Affected Version Ranges: < 2.3.1
No known fixed version
All affected versions: 1.7.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.9
maven:org.bouncycastle:bcpkix-jdk14
Dependent packages: 8
Dependent repositories: 22
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcpkix-jdk15to18
Dependent packages: 85
Dependent repositories: 303
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcpkix-jdk18on
Dependent packages: 431
Dependent repositories: 772
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions: 1.71.1
All unaffected versions: 1.78.1
maven:org.bouncycastle:bctls-jdk15to18
Dependent packages: 5
Dependent repositories: 11
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bctls-jdk14
Dependent packages: 0
Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bctls-jdk18on
Dependent packages: 12
Dependent repositories: 47
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions: 1.71.1
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk14
Dependent packages: 33
Dependent repositories: 201
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15to18
Dependent packages: 187
Dependent repositories: 341
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15on
Dependent packages: 3,304
Dependent repositories: 18,945
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions: 1.65.1
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk18on
Dependent packages: 500
Dependent repositories: 920
Downloads:
Affected Version Ranges: < 1.78
Fixed in: 1.78
All affected versions: 1.71.1
All unaffected versions: 1.78.1