Open mend-bolt-for-github[bot] opened 2 years ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
CVE-2015-7940 - Medium Severity Vulnerability
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /handler/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.50/bcprov-jdk15on-1.50.jar
Dependency Hierarchy: - bcpkix-jdk15on-1.50.jar (Root Library) - :x: **bcprov-jdk15on-1.50.jar** (Vulnerable Library)
Found in HEAD commit: 349543fa7012e8d0f84182eb672766e12d70eac3
Found in base branch: master
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Publish Date: 2015-11-09
URL: CVE-2015-7940
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940
Release Date: 2015-11-09
Fix Resolution (org.bouncycastle:bcprov-jdk15on): 1.51
Direct dependency fix Resolution (org.bouncycastle:bcpkix-jdk15on): 1.51
Step up your Open Source Security Game with Mend here