CVE-2024-30171

Aliases:CGA-5mrq-75x2-g8hjCGA-2f4h-fc34-cw83CGA-9qv8-44xh-vf2pGHSA-v435-xc8x-wvr9CGA-9QV8-44XH-VF2P
Advisory lineage Upstream: 0 Downstream: 11
Deferred
Published: 09 May 2024, 00:00
Last modified:19 Aug 2024, 17:18

Vulnerability Summary

Overall Risk (default)
low
24/100
CVSS Score
5.9 MEDIUM
v3.1 (cve.org)
EPSS Score
0.14% LOW
0% probability +0.04%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

09 May 2024, 00:00
Published
Vulnerability first disclosed
19 Aug 2024, 17:18
Last Modified
Vulnerability information updated

Description

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

CVSS Metrics

  • v3.1MEDIUMScore: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.14% Percentile: 34%

Techniques & Countermeasures

  • CWE-203Observable Discrepancy

    The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

Affected Systems

  • chainguardapache-nifi

    < 1.26.0-r2

  • chainguardlogstash-jre-bcfips

    < 8.13.4-r0

  • org.bouncycastlebcprov-jdk14

    < 1.78

  • org.bouncycastlebcprov-jdk15on

    < 1.78

  • org.bouncycastlebcprov-jdk15to18

    < 1.78

  • org.bouncycastlebcprov-jdk18on

    < 1.78

  • org.bouncycastlebctls-fips

    < 1.0.19

  • org.bouncycastlebctls-jdk14

    < 1.78

  • org.bouncycastlebctls-jdk15to18

    < 1.78

  • org.bouncycastlebctls-jdk18on

    < 1.78

  • NuGetBouncyCastle

    all

  • NuGetBouncyCastle.Cryptography

    < 2.3.1

References (9)