[MAVEN:GHSA-4446-656P-F54G] Deserialization of Untrusted Data in Bouncy castle

Severity Critical

Affected Packages 1

Fixed Packages 1

CVEs 1

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs starting in version 1.57 and prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

Package	Affected Version
pkg:maven/org.bouncycastle/bcprov-jdk15on	>= 1.57, < 1.60

Package	Fixed Version
pkg:maven/org.bouncycastle/bcprov-jdk15on	= 1.60

ID

MAVEN:GHSA-4446-656P-F54G

Severity

critical

URL

https://github.com/advisories/GHSA-4446-656p-f54g

Published

2018-10-17T16:23:12
(5 years ago)

Modified

2023-08-18T14:24:22
(12 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-1000613
			https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574
			https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc
			https://github.com/advisories/GHSA-4446-656p-f54g
			https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
			https://security.netapp.com/advisory/ntap-20190204-0003/
			https://www.oracle.com/security-alerts/cpuApr2021.html
			https://www.oracle.com/security-alerts/cpuapr2020.html
			https://www.oracle.com/security-alerts/cpuoct2020.html
			https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
			https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
			https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
			http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
			https://github.com/bcgit/bc-java/commit/cc9f91c41be67e88fca4e38f4872418448950fd9

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.bouncycastle/bcprov-jdk15on	org.bouncycastle	bcprov-jdk15on	>= 1.57 < 1.60
Fixed	pkg:maven/org.bouncycastle/bcprov-jdk15on	org.bouncycastle	bcprov-jdk15on	= 1.60

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date