CVE-2023-33202Uncontrolled Resource Consumption in Bouncy Castle FOR Java

CWE-400Uncontrolled Resource Consumption9 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.2%
top 63.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Bouncycastle Bouncy Castle FOR JavaBouncycastle Fips Java API
Timeline
PublishedNov 23
Latest updateJan 15

Description

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is f

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

🔴Vulnerability Details

4
OSV
CVE-2023-33202: Bouncy Castle for Java before 12023-11-23
GHSA
Bouncy Castle Denial of Service (DoS)2023-11-23
OSV
Bouncy Castle Denial of Service (DoS)2023-11-23
CVEList
CVE-2023-33202: Bouncy Castle for Java before 12023-11-23

📋Vendor Advisories

4
Oracle
Oracle Oracle Analytics Risk Matrix: Analytics Server (Bouncy Castle Java Library) — CVE-2023-332022025-01-15
Oracle
Oracle Oracle Analytics Risk Matrix: Analytics Server (Bouncy Castle Java Library) — CVE-2023-332022024-07-15
Red Hat
bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class2023-11-23
Debian
CVE-2023-33202: bouncycastle - Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) ...2023
CVE-2023-33202 — Uncontrolled Resource Consumption | cvebase