Skip to content

Bouncy Castle Java Cryptography API vulnerable to DNS poisoning

Low severity GitHub Reviewed Published May 3, 2024 to the GitHub Advisory Database • Updated Jun 14, 2024

Package

maven org.bouncycastle:bcprov-jdk12 (Maven)

Affected versions

>= 1.61, < 1.78

Patched versions

1.78
maven org.bouncycastle:bcprov-jdk13 (Maven)
>= 1.61, < 1.78
1.78
maven org.bouncycastle:bcprov-jdk14 (Maven)
>= 1.61, < 1.78
1.78
maven org.bouncycastle:bcprov-jdk15to18 (Maven)
>= 1.61, < 1.78
1.78
maven org.bouncycastle:bcprov-jdk18on (Maven)
>= 1.61, < 1.78
1.78

Description

An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

References

Published by the National Vulnerability Database May 3, 2024
Published to the GitHub Advisory Database May 3, 2024
Reviewed May 3, 2024
Last updated Jun 14, 2024

Severity

Low

EPSS score

0.045%
(17th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2024-34447

GHSA ID

GHSA-4h8f-2wvx-gg5w

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.