felipebn
commented
6 years ago This issue is now fixed by #18.
Please note that some provided dependencies will still refer this bouncy castle version, but as they are provided dependencies they are not included in the final artifact.
after call graph analysis, this vulnerable method does not appear to be called, however best practice dictates updating to a save version.
This vulnerability is in a transitive dependency, it can be fixed by overriding and adding a new direct dependency of the library in your project.
Legion of the Bouncy Castle Java Cryptography APIs is vulnerable to remote code execution via a deserialization bug. This is due to a lack of class checking in the deserialization of XMSS/XMSS^MT private keys with BDS state information.
Bouncy Castle is vulnerable to hash collision attacks. The library keystore files uses a HMAC hash that is only 16 bits long, allowing a malicious user to retrieve the password used for keystore integrity verification checks. This vulnerability only affects users of the
BKS-V1keystore format, which was re-introduced since 1.49.This issue was fixed in version 1.60 of Bouncy Castle Provider. That version is currently considered safe, we suggest that you upgrade to the fixed version.
pom.xml
Dependency graph:
com.atlassian.bitbucket.server bitbucket-page-objects 5.8.0 com.atlassian.bitbucket.server bitbucket-it-common 5.8.0 org.codehaus.groovy groovy-all 2.4.7