org.bouncycastle:bc-fips-debug 1.0.2.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.bouncycastle:bc-fips-debug package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Uncontrolled Resource Consumption ('Resource Exhaustion') Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a file that has crafted `ASN.1` data through the `PEMParser` causes an `OutOfMemoryError`. How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')? Upgrade `org.bouncycastle:bc-fips-debug` to version 1.0.2.4 or higher.	[,1.0.2.4)
H Improper Authentication Affected versions of this package are vulnerable to Improper Authentication. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules, where it is possible for temporary keys used by the module to be zeroed out while still in use by the module. Notes: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11. The assessed High Impact on both Confidentiality and Integrity is due to the encryption, decryption, and authentication failure, that could lead to the internal keys in the FIPS module to be improperly encrypted or at times corrupted. The issue can be exploited when the JVM is stressed for memory. As the vulnerability requires harder to achieve means of exploitation, we marked the Attack Complexity with High. There is no clear specification that the attacker needs to have local access. How to fix Improper Authentication? Upgrade `org.bouncycastle:bc-fips-debug` to version 1.0.2.4 or higher.	[,1.0.2.4)

Vulnerability

Vulnerable Version

Uncontrolled Resource Consumption ('Resource Exhaustion')

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the org.bouncycastle.openssl.PEMParser class. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError.

How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')?

Upgrade org.bouncycastle:bc-fips-debug to version 1.0.2.4 or higher.

[,1.0.2.4)

Improper Authentication

Affected versions of this package are vulnerable to Improper Authentication. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules, where it is possible for temporary keys used by the module to be zeroed out while still in use by the module.

Notes:

FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.
The assessed High Impact on both Confidentiality and Integrity is due to the encryption, decryption, and authentication failure, that could lead to the internal keys in the FIPS module to be improperly encrypted or at times corrupted.

The issue can be exploited when the JVM is stressed for memory. As the vulnerability requires harder to achieve means of exploitation, we marked the Attack Complexity with High.

There is no clear specification that the attacker needs to have local access.

How to fix Improper Authentication?

Upgrade org.bouncycastle:bc-fips-debug to version 1.0.2.4 or higher.

[,1.0.2.4)

org.bouncycastle:bc-fips-debug@1.0.2.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?