CVE-2024-30172 – bouncycastle.cryptography

Package

Manager: nuget
Name: bouncycastle.cryptography
Vulnerable Version: >=0 <2.3.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00136 pctl0.3418

Details

Bouncy Castle crafted signature and public key can be used to trigger an infinite loop An issue was discovered in Bouncy Castle Java Cryptography APIs starting in 1.73 and before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Metadata

Created: 2024-05-14T15:32:54Z
Modified: 2024-12-02T16:27:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
CWE IDs: ["CWE-835"]
Alternative ID: GHSA-m44j-cfrm-g8qc
Finding: F138
Auto approve: 1