yandex-cloud
Some cve in current release
Hi, when will you fix it?
Dependency maven:org.bouncycastle:bcprov-jdk15on:1.61 is vulnerable
CVE-2019-17359, Score: 7.5
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Read More: https://www.mend.io/vulnerability-database/CVE-2019-17359?utm_source=JetBrains
CVE-2024-29857, Score: 7.5
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Read More: https://www.mend.io/vulnerability-database/CVE-2024-29857?utm_source=JetBrains
CVE-2024-30172, Score: 7.5
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
Read More: https://www.mend.io/vulnerability-database/CVE-2024-30172?utm_source=JetBrains
CVE-2024-30171, Score: 5.9
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
Read More: https://www.mend.io/vulnerability-database/CVE-2024-30171?utm_source=JetBrains
CVE-2020-15522, Score: 5.9
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
Read More: https://www.mend.io/vulnerability-database/CVE-2020-15522?utm_source=JetBrains
CVE-2023-33202, Score: 5.5
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
Read More: https://www.mend.io/vulnerability-database/CVE-2023-33202?utm_source=JetBrains
CVE-2023-33201, Score: 5.3
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
Read More: https://www.mend.io/vulnerability-database/CVE-2023-33201?utm_source=JetBrains
Results powered by Mend.io
and I also see in the logs that:
Vulnerable protobuf generated type in use: yandex.cloud.api.iam.v1.IamTokenServiceOuterClass$CreateIamTokenResponse As of 2022/09/29 (release 21.7) makeExtensionsImmutable should not be called from protobuf gencode. If you are seeing this message, your gencode is vulnerable to a denial of service attack. You should regenerate your code using protobuf 25.6 or later. Use the latest version that meets your needs. However, if you understand the risks and wish to continue with vulnerable gencode, you can set the system property
-Dcom.google.protobuf.use_unsafe_pre22_gencodeon the command line to silence this warning. You also can set-Dcom.google.protobuf.error_on_unsafe_pre22_gencodeto throw an error instead. See security vulnerability: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
