CVE-2024-30172 (High) detected in bcprov-jdk15on-1.65.01.jar #431
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-jackfan.us.kg
bot
added
the
Mend: dependency security vulnerability
mend-for-jackfan.us.kg
bot
changed the title
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2024-30172 - High Severity Vulnerability
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5+.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /vc-worker/pom.xml
Path to vulnerable library: /vc-worker/libs/bcprov-jdk15on-1.65.01.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.65.01/bcprov-jdk15on-1.65.01.jar
Dependency Hierarchy:
Found in base branch: master
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
Publish Date: 2024-05-09
URL: CVE-2024-30172
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2024-30172
Release Date: 2024-03-24
Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78
⛑️ Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: