CVE-2023-33201

Aliases:GHSA-hr8g-6v94-x4m9

Advisory lineage Upstream: 0 Downstream: 12

Downstream

DEBIAN-CVE-2023-33201 DLA-3514-1 OPENSUSE-SU-2024:13016-1 RHSA-2023:5484 RHSA-2023:5485 RHSA-2023:5486

Modified

Published: 05 Jul 2023, 00:00

Last modified:04 Dec 2024, 15:48

Vulnerability Summary

Overall Risk (default)

low

21/100

CVSS Score

5.3 MEDIUM

v3.1 (nvd)

EPSS Score

0.33% LOW

0% probability -0.07%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

05 Jul 2023, 00:00

Published

Vulnerability first disclosed

04 Dec 2024, 15:48

Last Modified

Vulnerability information updated

Description

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

CVSS Metrics

v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.33%• Percentile: 56%

Techniques & Countermeasures

CWE-295•Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

Affected Systems

bouncycastle•bc-java
< 1.74
org.bouncycastle•bcprov-debug-jdk14
≥ 1.49, < 1.74
org.bouncycastle•bcprov-debug-jdk15on
≥ 1.49, ≤ 1.70
org.bouncycastle•bcprov-debug-jdk15to18
< 1.74
org.bouncycastle•bcprov-debug-jdk18on
< 1.74
org.bouncycastle•bcprov-ext-jdk14
≥ 1.49, < 1.74
org.bouncycastle•bcprov-ext-jdk15on
≥ 1.49, ≤ 1.70
org.bouncycastle•bcprov-ext-jdk15to18
< 1.74
org.bouncycastle•bcprov-ext-jdk18on
< 1.74
org.bouncycastle•bcprov-jdk14
≥ 1.49, < 1.74
org.bouncycastle•bcprov-jdk15on
≥ 1.49, ≤ 1.70
org.bouncycastle•bcprov-jdk15to18
< 1.74
org.bouncycastle•bcprov-jdk18on
< 1.74