Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTcybTUtZnZ2di01NW02

Moderate EPSS: 0.02577% (0.84983 Percentile) EPSS:
Permalink JSON

Observable Differences in Behavior to Error Inputs in Bouncy Castle

Affected Packages Affected Versions Fixed Versions
maven:org.bouncycastle:bcprov-jdk15to18 < 1.61 1.61
187 Dependent packages
341 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions

1.78.1
maven:org.bouncycastle:bcprov-jdk15on < 1.61 1.61
3,304 Dependent packages
18,945 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions

1.65.01
maven:org.bouncycastle:bcprov-ext-jdk16 < 1.61 1.61
16 Dependent packages
147 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions
maven:org.bouncycastle:bcprov-ext-jdk15on < 1.61 1.61
261 Dependent packages
1,160 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions
maven:org.bouncycastle:bc-fips < 1.0.2 1.0.2
50 Dependent packages
550 Dependent repositories

Affected Version Ranges

All affected versions

1.0.0, 1.0.1

All unaffected versions

1.0.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2
maven:org.bouncycastle:bcprov-jdk16 < 1.61 1.61
563 Dependent packages
6,549 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions
maven:org.bouncycastle:bcprov-jdk15 < 1.61 1.61
104 Dependent packages
985 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions
maven:org.bouncycastle:bcprov-jdk14 < 1.61 1.61
33 Dependent packages
201 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions

1.78.1

In Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

References:

Identifiers

GHSA-72m5-fvvv-55m6

CVE-2020-26939

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.02577

EPSS Percentile: 0.84983

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/bcgit/bc-java

Date and time

Published

over 4 years ago

Updated

17 minutes ago

API

JSON