Описание
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
Отчет
The XMSS/XMSS^MT algorithms were first introduced in upstream bouncycastle version 1.57. Versions prior to this, that have not had the new algorithms back-ported, are not affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| JBoss Developer Studio 11 | bouncycastle | Not affected | ||
| Red Hat Fuse 7 | jclouds-bouncycastle | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | bouncycastle | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 7 | bouncycastle | Not affected | ||
| Red Hat JBoss Fuse 6 | jclouds-bouncycastle | Not affected | ||
| Red Hat Satellite 6 | bouncycastle | Not affected | ||
| Red Hat Software Collections | rh-eclipse46-bouncycastle | Not affected | ||
| Red Hat Subscription Asset Manager | bouncycastle | Not affected | ||
| Red Hat Virtualization 4 | eap7-bouncycastle | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
4.9 Medium
CVSS3
Связанные уязвимости
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptogra ...
Deserialization of Untrusted Data in Bouncy castle
EPSS
4.9 Medium
CVSS3