Vulnerability CVE-2023-33202

[sec-hound-service[bot]]

Dependency Information

• Name: pkg@maven@org.bouncycastle@bcpg-jdk18on@1.71
• License: Bouncy Castle Licence: https://www.bouncycastle.org/licence.html Apache Software License, Version 1.1: https://www.apache.org/licenses/LICENSE-1.1
• Description: The Bouncy Castle Java API for handling the OpenPGP protocol. This jar contains the OpenPGP API for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
• URL: https://ossindex.sonatype.org/component/pkg:maven/org.bouncycastle/bcpg-jdk18on@1.71?utm_source=dependency-check&utm_medium=integration&utm_content=9.0.9

---

Vulnerability Details

• Code: CVE-2023-33202
• Source: NVD
• Severity: MEDIUM
• Description: Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)

---

Common Vulnerability Scoring System (CVSSv3)

• Base Score: 5.5
• Attack Vector: LOCAL
• Attack Complexity: LOW
• Privileges Required: NONE
• User Interaction: REQUIRED
• Scope: UNCHANGED
• Confidentiality Impact: NONE
• Integrity Impact: NONE
• Availability Impact: HIGH
• Base Severity: MEDIUM
• Exploitability Score: 1.8
• Impact Score: 3.6
• Version: 3.1

Known Exploits Vulnerability

No known exploited vulnerability

For more information, visit the NVD

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:47:54 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:50:31 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:53:25 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:57:08 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 00:03:32 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 00:11:36 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 00:12:57 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 10:24:34 WEST 2024

[sec-hound-service[bot]]

The issue was reopened because the dependency that contain the vulnerability was not fixed, or the vulnerability was not removed. Date: Sat Jul 06 10:36:06 WEST 2024