Cryptographic Issues Affecting org.bouncycastle:bcprov-jdk15on package, versions [1.47, 1.69)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGBOUNCYCASTLE-2841508
- published 26 May 2022
- disclosed 23 May 2022
- credit erezul
How to fix?
Upgrade org.bouncycastle:bcprov-jdk15on to version 1.69 or higher.
Overview
org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Cryptographic Issues via weak key-hash message authentication code (HMAC) that is only 16 bits long which can result in hash collisions, as a result of an error within the BKS version 1 keystore (BKS-V1) files and could lead to an attacker being able to affect the integrity of these files. This vulnerability was introduced following an incomplete fix for CVE-2018-5382.