Описание
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | bouncycastle | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Not affected | ||
| Migration Toolkit for Applications 6 | bouncycastle | Will not fix | ||
| Migration Toolkit for Runtimes | bouncycastle | Will not fix | ||
| Red Hat A-MQ Online | bouncycastle | Not affected | ||
| Red Hat build of Apicurio Registry 2 | bouncycastle | Will not fix | ||
| Red Hat build of Debezium 1 | bouncycastle | Will not fix | ||
| Red Hat build of Debezium 2 | bouncycastle | Will not fix | ||
| Red Hat build of Quarkus | org.bouncycastle/bcprov-jdk15on | Will not fix | ||
| Red Hat Data Grid 8 | bouncycastle | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vu ...
Bouncy Castle For Java LDAP injection vulnerability
EPSS
5.3 Medium
CVSS3