ghsa-8xfc-gm6g-vgpv
Vulnerability from github
Published
2024-05-14 15:32
Modified
2024-09-09 21:32
Severity ?
Summary
Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.
Details
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.bouncycastle:bcprov-jdk18on" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.78" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.bouncycastle:bcprov-jdk15on" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.78" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.bouncycastle:bcprov-jdk15to18" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.78" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.bouncycastle:bcprov-jdk14" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.78" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.bouncycastle:bctls-jdk18on" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.78" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.bouncycastle:bctls-jdk14" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.78" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.bouncycastle:bctls-jdk15to18" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.78" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.bouncycastle:bc-fips" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.0.2.5" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c 2.3.1" }, "package": { "ecosystem": "NuGet", "name": "BouncyCastle" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "BouncyCastle.Cryptography" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.3.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-29857" ], "database_specific": { "cwe_ids": [ "CWE-125", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2024-05-14T20:22:01Z", "nvd_published_at": "2024-05-14T15:17:02Z", "severity": "MODERATE" }, "details": "An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.", "id": "GHSA-8xfc-gm6g-vgpv", "modified": "2024-09-09T21:32:53Z", "published": "2024-05-14T15:32:54Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29857" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-csharp/commit/56daa6eac526f165416d17f661422d60de0dfd63" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a294501f" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857" }, { "type": "WEB", "url": "https://www.bouncycastle.org/latest_releases.html" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "type": "CVSS_V3" } ], "summary": "Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation." }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.