Seal Security

CVE-2023-33202

Bouncy Castle Denial of Service (DoS)

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

5.4

Score Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Versions

org.bouncycastle:bcprov-ext-jdk16 < 1.73; org.bouncycastle:bcprov-jdk14 < 1.73; org.bouncycastle:bcprov-jdk15 < 1.73; org.bouncycastle:bcprov-jdk15to18 < 1.73; org.bouncycastle:bcprov-jdk16 < 1.73; org.bouncycastle:bcpkix-jdk18on < 1.73; org.bouncycastle:bcprov-ext-jdk15on < 1.73; org.bouncycastle:bcprov-jdk18on < 1.73

Severity

Medium

Ecosystem

Publish Date

November 23, 2023

Modified Date

October 22, 2024