Vulnerability CVE-2023-33201

[sec-hound-service[bot]]

Dependency Information

• Name: pkg@maven@org.bouncycastle@bcprov-jdk18on@1.71
• License: Bouncy Castle Licence: https://www.bouncycastle.org/licence.html
• Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
• URL: https://ossindex.sonatype.org/component/pkg:maven/org.bouncycastle/bcprov-jdk18on@1.71?utm_source=dependency-check&utm_medium=integration&utm_content=9.0.9

---

Vulnerability Details

• Code: CVE-2023-33201
• Source: OSSINDEX
• Severity: MEDIUM
• Description: Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

---

Common Vulnerability Scoring System (CVSSv3)

• Base Score: 5.300000190734863
• Attack Vector: NETWORK
• Attack Complexity: LOW
• Privileges Required: NONE
• User Interaction: NONE
• Scope: UNCHANGED
• Confidentiality Impact: LOW
• Integrity Impact: NONE
• Availability Impact: NONE
• Base Severity: MEDIUM
• Exploitability Score: N/A
• Impact Score: N/A
• Version: 3.1

Known Exploits Vulnerability

No known exploited vulnerability

For more information, visit the NVD

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:47:59 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:52:05 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:53:30 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:57:24 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 00:03:36 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 00:11:40 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 00:13:01 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 10:24:38 WEST 2024

[sec-hound-service[bot]]

The issue was reopened because the dependency that contain the vulnerability was not fixed, or the vulnerability was not removed. Date: Sat Jul 06 10:36:12 WEST 2024