CVE-2013-1624Improper Input Validation in Bc-java

CWE-20Improper Input ValidationCWE-385Covert Timing Channel12 documents7 sources
Severity
4.0MEDIUMNVD
CNA2.6GHSA2.6OSV2.6
EPSS
0.4%
top 40.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Bouncycastle Bc-javaBouncycastle Legion-of-the-bouncy-castle-c Cryptography-api
Timeline
PublishedFeb 8
Latest updateMay 14

Description

The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

CVSS vector

AV:N/AC:H/C:P/I:P/A:NExploitability: 4.9 | Impact: 4.9

Affected Packages2 packages

NVDbouncycastle/bc-java47 versions+46

🔴Vulnerability Details

4
GHSA
Improper Input Validation in Bouncy Castle2022-05-14
OSV
Improper Input Validation in Bouncy Castle2022-05-14
CVEList
CVE-2013-1624: The TLS implementation in the Bouncy Castle Java library before 12013-02-08
OSV
CVE-2013-1624: The TLS implementation in the Bouncy Castle Java library before 12013-02-08

📋Vendor Advisories

2
Red Hat
bouncycastle: TLS CBC padding timing attack2013-02-04
Debian
CVE-2013-1624: bouncycastle - The TLS implementation in the Bouncy Castle Java library before 1.48 and C# libr...2013

💬Community

5
Bugzilla
BPMS 6.0 is affected by CVE-2013-1624 bouncycastle: TLS CBC padding timing attack2014-01-27
Bugzilla
CVE-2013-1624 bouncycastle: TLS CBC padding timing attack [jpp-6.2.0]2014-01-27
Bugzilla
CVE-2013-1624 bouncycastle: TLS CBC padding timing attack [epel-all]2013-03-12
Bugzilla
CVE-2013-1624 bouncycastle: TLS CBC padding timing attack [fedora-all]2013-03-12
Bugzilla
CVE-2013-1624 bouncycastle: TLS CBC padding timing attack2013-02-06
CVE-2013-1624 — Improper Input Validation in Bc-java | cvebase