GHSA-m44j-cfrm-g8qc

Suggest an improvement
Source
https://github.com/advisories/GHSA-m44j-cfrm-g8qc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m44j-cfrm-g8qc
Aliases
Related
Published
2024-05-14T15:32:54Z
Modified
2024-11-05T21:45:50.566198Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Bouncy Castle crafted signature and public key can be used to trigger an infinite loop
Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

References

Affected packages

Maven / org.bouncycastle:bcprov-jdk18on

Package

Name
org.bouncycastle:bcprov-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.71
1.71.1
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bcprov-jdk15on

Package

Name
org.bouncycastle:bcprov-jdk15on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.46
1.47
1.48
1.49
1.50
1.51
1.52
1.53
1.54
1.55
1.56
1.57
1.58
1.59
1.60
1.61
1.62
1.63
1.64
1.65
1.65.01
1.66
1.67
1.68
1.69
1.70

Maven / org.bouncycastle:bcprov-jdk15to18

Package

Name
org.bouncycastle:bcprov-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.63
1.64
1.65
1.66
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bcprov-jdk14

Package

Name
org.bouncycastle:bcprov-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bcprov-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.38
1.43
1.44
1.45
1.46
1.47
1.48
1.49
1.50
1.51
1.53
1.54
1.55
1.56
1.57
1.58
1.59
1.60
1.61
1.62
1.63
1.64
1.65
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bctls-jdk18on

Package

Name
org.bouncycastle:bctls-jdk18on
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk18on

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.71
1.71.1
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bctls-jdk14

Package

Name
org.bouncycastle:bctls-jdk14
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.61
1.62
1.63
1.64
1.65
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

Maven / org.bouncycastle:bctls-jdk15to18

Package

Name
org.bouncycastle:bctls-jdk15to18
View open source insights on deps.dev
Purl
pkg:maven/org.bouncycastle/bctls-jdk15to18

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.78

Affected versions

1.*

1.63
1.64
1.65
1.66
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77

NuGet / BouncyCastle

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.0
1.8.1
1.8.2
1.8.3
1.8.3.1
1.8.4
1.8.5
1.8.6
1.8.6.1
1.8.9

Database specific

{
    "last_known_affected_version_range": "< 2.3.1"
}

NuGet / BouncyCastle.Cryptography

Package

Name
BouncyCastle.Cryptography
View open source insights on deps.dev
Purl
pkg:nuget/BouncyCastle.Cryptography

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.1

Affected versions

2.*

2.0.0
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0