CVE-2020-15522

CVSS v3.1 5.9 (Medium)

CVSS v2.0 4.3 (Medium)

EPSS 0.13 % (48^th)

Affected Products 4

Advisories 5

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

Weaknesses

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2021-05-20 12:15:08
(3 years ago)
Updated Date: 2021-06-22 09:15:11
(3 years ago)

Affected Products

Bouncycastle

Configuration #1

	CPE23	From	Up To
Bouncycastle Bc-csharp prior 1.8.7 version	cpe:2.3:a:bouncycastle:bc-csharp		< 1.8.7
Bouncycastle Bouncy Castle Fips .net Api prior 1.0.1.1 version	cpe:2.3:a:bouncycastle:bouncy_castle_fips_.net_api		< 1.0.1.1
Bouncycastle Legion-of-the-bouncy-castle-fips-java-api prior 1.0.1.2 version	cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-fips-java-api		< 1.0.1.2
Bouncycastle Legion-of-the-bouncy-castle-fips-java-api from 1.0.2 version and prior 1.0.2.1 version	cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-fips-java-api	>= 1.0.2	< 1.0.2.1
Bouncycastle The Bouncy Castle Crypto Package for Java prior 1.66 version	cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java		< 1.66