Skip to main content

Observable Discrepancy in BouncyCastle

CVE-2024-30171

  • BouncyCastle
  • BouncyCastle.Core
  • BouncyCastle.CoreClr
  • BouncyCastle.Crypto.1.8.6
  • BouncyCastle.Crypto
  • BouncyCastle.Crypto.dll
  • BouncyCastle.Cryptoe
  • BouncyCastle.Cryptography
  • BouncyCastle.Crypto.NetCore
  • BouncyCastle.Diffie-hellman
  • BouncyCastle.NetCore
  • BouncyCastle.NetCoreSdk
  • BouncyCastle.NetFramework
  • BouncyCastle.zzBit
  • org.bouncycastle:bc-fips
  • org.bouncycastle:bc-fips-debug
  • org.bouncycastle:bcprov-debug-jdk14
  • org.bouncycastle:bcprov-debug-jdk15on
  • org.bouncycastle:bcprov-debug-jdk18on
  • org.bouncycastle:bcprov-debug-jdk15to18
  • org.bouncycastle:bcprov-ext-debug-jdk14
  • org.bouncycastle:bcprov-ext-debug-jdk15on
  • org.bouncycastle:bcprov-ext-debug-jdk18on
  • org.bouncycastle:bcprov-ext-debug-jdk15to18
  • org.bouncycastle:bcprov-ext-jdk14
  • org.bouncycastle:bcprov-ext-jdk15on
  • org.bouncycastle:bcprov-ext-jdk18on
  • org.bouncycastle.bcprov-ext-jdk15on.1.57.org.bouncycastle:bcprov-ext-jdk15on
  • org.bouncycastle:bcprov-ext-jdk15to18
  • org.bouncycastle:bcprov-jdk14
  • org.bouncycastle:bcprov-jdk15+
  • org.bouncycastle:bcprov-jdk15
  • org.bouncycastle:bcprov-jdk16
  • org.bouncycastle:bcprov-jdk15on
  • org.bouncycastle:bcprov-jdk18on
  • org.bouncycastle.bcprov-jdk15on.1.57.org.bouncycastle:bcprov-jdk15on
  • org.bouncycastle:bcprov-jdk15to18
  • org.bouncycastle:bcprov-lts8on
  • org.bouncycastle:bctls-debug-jdk18on
  • org.bouncycastle:bctls-debug-jdk15to18
  • org.bouncycastle:bctls-fips
  • org.bouncycastle:bctls-jdk14
  • org.bouncycastle:bctls-jdk15on
  • org.bouncycastle:bctls-jdk18on
  • org.bouncycastle.bctls-jdk15on.1.57.org.bouncycastle:bctls-jdk15on
  • org.bouncycastle:bctls-jdk15to18
  • org.bouncycastle:bctls-lts8on
Medium
5.9/10

Summary

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. This issue also affects Bouncy Castle C# package prior to 2.3.1. Timing-based leakage may occur in RSA based handshakes because of exception processing.

  • HIGH
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-203 - Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

Advisory Timeline

  • Published