org.bouncycastle:bcprov-debug-jdk14 1.83

Direct Vulnerabilities

Known vulnerabilities in the org.bouncycastle:bcprov-debug-jdk14 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M LDAP Injection Affected versions of this package are vulnerable to LDAP Injection via the `parseDN` handling and the LDAP store helpers in `X509LDAPCertStoreSpi` and `LDAPStoreHelper`. An attacker can influence LDAP search filters by supplying a crafted X.500 subject or issuer string that is parsed into an unescaped filter value. This lets the attacker alter the directory query used to locate certificates and CRLs, causing the application to retrieve incorrect LDAP entries or fail to find the intended ones, which can break certificate validation and revocation checks. How to fix LDAP Injection? Upgrade `org.bouncycastle:bcprov-debug-jdk14` to version 1.84 or higher.	[1.74,1.84)
H Use of a Broken or Risky Cryptographic Algorithm Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the `generateCTR` process in `G3413CTRBlockCipher`. An attacker can recover relationships between encrypted plaintext blocks by driving the cipher past its counter range and causing the counter to wrap, which makes the stream repeat and produces identical ciphertext for different blocks. This breaks the confidentiality of data protected with `G3413CTRBlockCipher` and can expose plaintext patterns or allow plaintext recovery when the same key and IV are reused across enough blocks. How to fix Use of a Broken or Risky Cryptographic Algorithm? Upgrade `org.bouncycastle:bcprov-debug-jdk14` to version 1.84 or higher.	[1.59,1.84)
H Timing Attack Affected versions of this package are vulnerable to Timing Attack through the `sample` and `sample_matrix` functions in `FrodoEngine.java`. An attacker can recover information about the sampled noise values by observing how long Frodo key generation or encapsulation takes when it processes attacker-influenced inputs. The variable-time comparison and sign handling in the error sampler leak the distribution of the generated samples, weakening the secrecy of the private Frodo noise and enabling key-recovery attacks against affected deployments. How to fix Timing Attack? Upgrade `org.bouncycastle:bcprov-debug-jdk14` to version 1.84 or higher.	[1.71,1.84)

Vulnerability

Vulnerable Version

LDAP Injection

Affected versions of this package are vulnerable to LDAP Injection via the parseDN handling and the LDAP store helpers in X509LDAPCertStoreSpi and LDAPStoreHelper. An attacker can influence LDAP search filters by supplying a crafted X.500 subject or issuer string that is parsed into an unescaped filter value. This lets the attacker alter the directory query used to locate certificates and CRLs, causing the application to retrieve incorrect LDAP entries or fail to find the intended ones, which can break certificate validation and revocation checks.

How to fix LDAP Injection?

Upgrade org.bouncycastle:bcprov-debug-jdk14 to version 1.84 or higher.

[1.74,1.84)

Use of a Broken or Risky Cryptographic Algorithm

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the generateCTR process in G3413CTRBlockCipher. An attacker can recover relationships between encrypted plaintext blocks by driving the cipher past its counter range and causing the counter to wrap, which makes the stream repeat and produces identical ciphertext for different blocks. This breaks the confidentiality of data protected with G3413CTRBlockCipher and can expose plaintext patterns or allow plaintext recovery when the same key and IV are reused across enough blocks.

How to fix Use of a Broken or Risky Cryptographic Algorithm?

Upgrade org.bouncycastle:bcprov-debug-jdk14 to version 1.84 or higher.

[1.59,1.84)

Timing Attack

Affected versions of this package are vulnerable to Timing Attack through the sample and sample_matrix functions in FrodoEngine.java. An attacker can recover information about the sampled noise values by observing how long Frodo key generation or encapsulation takes when it processes attacker-influenced inputs. The variable-time comparison and sign handling in the error sampler leak the distribution of the generated samples, weakening the secrecy of the private Frodo noise and enabling key-recovery attacks against affected deployments.

How to fix Timing Attack?

Upgrade org.bouncycastle:bcprov-debug-jdk14 to version 1.84 or higher.

[1.71,1.84)

org.bouncycastle:bcprov-debug-jdk14@1.83

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically