CVE-2023-33202 - OpenCVE

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Bouncycastle	Bouncy Castle For Java

Configuration 1 [-]

cpe:2.3:a:bouncycastle:bouncy_castle_for_java:*:*:*:*:*:*:*:*

References

Link	Resource
https://bouncycastle.org	Product
https://github.com/bcgit/bc-java/wiki/CVE-2023-33202	Exploit Third Party Advisory
https://security.netapp.com/advisory/ntap-20240125-0001/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-11-23T00:00:00

Updated: 2024-01-25T14:06:28.223547

Reserved: 2023-05-18T00:00:00

Link: CVE-2023-33202

JSON object: View

NVD Information

Status : Modified

Published: 2023-11-23T16:15:07.273

Modified: 2024-01-25T14:15:25.783

Link: CVE-2023-33202

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bouncycastle:bouncy_castle_for_java:*:*:*:*:*:*:*:*", "matchCriteriaId": "A450303D-AF6E-4A81-BE1C-F744B728AC27", "versionEndExcluding": "1.73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)"}, {"lang": "es", "value": "Bouncy Castle para Java anterior a 1.73 contiene un posible problema de denegaci\u00f3n de servicio (DoS) dentro de la clase Bouncy Castle org.bouncycastle.openssl.PEMParser. Esta clase analiza secuencias codificadas OpenSSL PEM que contienen certificados X.509, claves codificadas PKCS8 y objetos PKCS7. El an\u00e1lisis de un archivo que ha creado datos ASN.1 a trav\u00e9s de PEMParser provoca un OutOfMemoryError, que puede permitir un ataque de denegaci\u00f3n de servicio."}], "id": "CVE-2023-33202", "lastModified": "2024-01-25T14:15:25.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-23T16:15:07.273", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://bouncycastle.org"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20240125-0001/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}