Search for packages
| purl | pkg:maven/org.bouncycastle/bc-fips@1.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2u8v-56gn-8uc2
Aliases: CVE-2020-15522 GHSA-6xx3-rg99-gc3p |
Timing based private key exposure in Bouncy Castle Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures. |
Affected by 2 other vulnerabilities. |
|
VCID-4rs8-tp92-p7ck
Aliases: CVE-2024-29857 GHSA-8xfc-gm6g-vgpv |
Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation. An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters. |
Affected by 0 other vulnerabilities. |
|
VCID-g87j-yupf-tybu
Aliases: CVE-2022-45146 GHSA-68m8-v89j-7j2p |
Garbage collection issue in BC-FJA in Java 13 and later An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11. |
Affected by 1 other vulnerability. |
|
VCID-nau9-4auz-pqbs
Aliases: CVE-2020-26939 GHSA-72m5-fvvv-55m6 |
Observable Differences in Behavior to Error Inputs in Bouncy Castle In Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption. |
Affected by 3 other vulnerabilities. |
|
VCID-rary-mqyu-2yes
Aliases: CVE-2025-8885 GHSA-67mf-3cr5-8w23 |
Bouncy Castle for Java on All (API modules) allows Excessive Allocation A resource allocation vulnerability exists in Bouncy Castle for Java (by Legion of the Bouncy Castle Inc.) that affects all API modules. The vulnerability allows attackers to cause excessive memory allocation through unbounded resource consumption, potentially leading to denial of service. The issue is located in the ASN1ObjectIdentifier.java file in the core module. This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 2.0.0. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||