Use of Incorrectly-Resolved Name or Reference
CVE-2024-34447
Summary
An issue was discovered in Bouncy Castle Java Cryptography APIs. This affects org.bouncycastle JDK artifacts jdk15to18, bctls-debug-jdk18on, bctls-jdk15on, bctls-jdk18on, and bctls-debug-jdk15to18 for versions prior to version 1.78, org.bouncycastle:bctls-fips prior to version 1.0.19, and org.bouncycastle:bctls-lts8on prior to version 2.73.6. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with "HttpsURLConnection"), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- NONE
- NONE
CWE-706 - Use of Incorrectly-Resolved Name or Reference
The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
References
Advisory Timeline
- Published