Skip to main content

Use of Incorrectly-Resolved Name or Reference

CVE-2024-34447

Severity Medium
Score 5.3/10

Summary

An issue was discovered in Bouncy Castle Java Cryptography APIs. This affects org.bouncycastle JDK artifacts jdk15to18, bctls-debug-jdk18on, bctls-jdk15on, bctls-jdk18on, and bctls-debug-jdk15to18 for versions prior to version 1.78, org.bouncycastle:bctls-fips prior to version 1.0.19, and org.bouncycastle:bctls-lts8on prior to version 2.73.6. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with "HttpsURLConnection"), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-706 - Use of Incorrectly-Resolved Name or Reference

The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Advisory Timeline

  • Published