Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-m44j-cfrm-g8qc] Bouncy Castle crafted signature and public key can be used to trigger an infinite loop #5044

Conversation

amita-seal
Copy link

Updates

  • Affected products
  • CVSS v3

Comments
Vulnerable code was introduced only in version 1.73 via bcgit/bc-java@1b9fd9b, which was later fixed by bcgit/bc-java@9c16579 and bcgit/bc-java@ebe1c75.
org.bouncycastle:bcprov-jdk15on does not have version 1.73 as per https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on, so this vulnerability is not relevant to it at all.

@github-actions github-actions bot changed the base branch from main to amita-seal/advisory-improvement-5044 December 2, 2024 08:53
@shelbyc
Copy link
Contributor

shelbyc commented Dec 2, 2024

Hi @amita-seal, thanks for the heads up about CVE-2024-30172 having been introduced in version 1.73, specifically in bcgit/bc-java@1b9fd9b. In addition to removing org.bouncycastle:bcprov-jdk15on as an affected product, I've added 1.73 as the lowest vulnerable version in the remaining Maven products that do have a version 1.73 and changed the description to indicate the vulnerable code was added in version 1.73.

@advisory-database advisory-database bot merged commit ba73dcd into amita-seal/advisory-improvement-5044 Dec 2, 2024
2 checks passed
@advisory-database
Copy link
Contributor

Hi @amita-seal! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the amita-seal-GHSA-m44j-cfrm-g8qc branch December 2, 2024 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants