CVE-2024-30171 (Medium) detected in bouncycastle.cryptography.2.3.0.nupkg
mend-bolt-for-github opened this issue · comments
CVE-2024-30171 - Medium Severity Vulnerability
Vulnerable Library - bouncycastle.cryptography.2.3.0.nupkg
BouncyCastle.NET is a popular cryptography library for .NET
Library home page: https://api.nuget.org/packages/bouncycastle.cryptography.2.3.0.nupkg
Path to dependency file: /src/Server/BlazorBoilerplate.Server/BlazorBoilerplate.Server.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/bouncycastle.cryptography/2.3.0/bouncycastle.cryptography.2.3.0.nupkg
Dependency Hierarchy:
- mailkit.4.4.0.nupkg (Root Library)
- mimekit.4.4.0.nupkg
- ❌ bouncycastle.cryptography.2.3.0.nupkg (Vulnerable Library)
- mimekit.4.4.0.nupkg
Found in HEAD commit: 50e6082605bee27209d9c1a08f59753707d3552b
Found in base branch: master
Vulnerability Details
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
Publish Date: 2024-05-14
URL: CVE-2024-30171
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-v435-xc8x-wvr9
Release Date: 2024-05-14
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1
Step up your Open Source Security Game with Mend here