Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZ4eDMtcmc5OS1nYzNw
Timing based private key exposure in Bouncy Castle
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
Permalink: https://github.com/advisories/GHSA-6xx3-rg99-gc3pJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZ4eDMtcmc5OS1nYzNw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 5.1
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00128
EPSS Percentile: 0.4796
Identifiers: GHSA-6xx3-rg99-gc3p, CVE-2020-15522
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-15522
- https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522
- https://github.com/bcgit/bc-java/wiki/CVE-2020-15522
- https://security.netapp.com/advisory/ntap-20210622-0007/
- https://www.bouncycastle.org/releasenotes.html
- https://github.com/advisories/GHSA-6xx3-rg99-gc3p
Blast Radius: 22.8
Affected Packages
nuget:BouncyCastle
Dependent packages: 306Dependent repositories: 0
Downloads: 66,912,809 total
Affected Version Ranges: < 1.8.7
Fixed in: 1.8.7
All affected versions: 1.7.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6
All unaffected versions: 1.8.9
maven:org.bouncycastle:bcprov-jdk16
Dependent packages: 563Dependent repositories: 6,549
Downloads:
Affected Version Ranges: < 1.66
Fixed in: 1.66
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk15to18
Dependent packages: 187Dependent repositories: 341
Downloads:
Affected Version Ranges: < 1.66
Fixed in: 1.66
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15on
Dependent packages: 3,304Dependent repositories: 18,945
Downloads:
Affected Version Ranges: < 1.66
Fixed in: 1.66
All affected versions: 1.65.1
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk15
Dependent packages: 104Dependent repositories: 985
Downloads:
Affected Version Ranges: < 1.66
Fixed in: 1.66
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk14
Dependent packages: 33Dependent repositories: 201
Downloads:
Affected Version Ranges: < 1.66
Fixed in: 1.66
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-ext-jdk16
Dependent packages: 16Dependent repositories: 147
Downloads:
Affected Version Ranges: < 1.66
Fixed in: 1.66
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-ext-jdk15on
Dependent packages: 261Dependent repositories: 1,160
Downloads:
Affected Version Ranges: < 1.66
Fixed in: 1.66
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bc-fips
Dependent packages: 50Dependent repositories: 550
Downloads:
Affected Version Ranges: <= 1.0.2
Fixed in: 1.0.2.1
All affected versions: 1.0.0, 1.0.1, 1.0.2
All unaffected versions: 2.0.0