Bouncycastle Fips Java Api vulnerabilities

5 known vulnerabilities affecting bouncycastle/fips_java_api.

Total CVEs

5

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH1MEDIUM4

Vulnerabilities

Page 1 of 1

CVE-2023-33202MEDIUMCVSS 5.5fixed in 1.0.2.42023-11-23

CVE-2023-33202 [MEDIUM] CWE-400 CVE-2023-33202: Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bou Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMe

CVE-2022-45146MEDIUMCVSS 5.5fixed in 1.0.2.42022-11-21

CVE-2022-45146 [MEDIUM] CWE-416 CVE-2022-45146: An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE

CVE-2020-15522MEDIUMCVSS 5.9fixed in 1.0.1.2≥ 1.0.2, < 1.0.2.12021-05-20

CVE-2020-15522 [MEDIUM] CWE-362 CVE-2020-15522: Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-F Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

CVE-2020-26939MEDIUMCVSS 5.3fixed in 1.0.1.22020-11-02

CVE-2020-26939 [MEDIUM] CWE-203 CVE-2020-26939: In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensit In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder coul

CVE-2018-1000180HIGHCVSS 7.5≤ 1.0.12018-06-05

CVE-2018-1000180 [HIGH] CWE-327 CVE-2018-1000180: Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level in Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.