Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: org.bouncycastle:bcprov-jdk18on
- Introduced through: com.sendgrid:sendgrid-java@4.10.2
Detailed paths
-
Introduced through: cf-toolsuite/cf-butler@cf-toolsuite/cf-butler#59fe18e6dc0f5092344c0195498e92e86b618f55 › com.sendgrid:sendgrid-java@4.10.2 › org.bouncycastle:bcprov-jdk18on@1.76
Overview
Affected versions of this package are vulnerable to Infinite loop in ED25519 verification in the ScalarUtil
class. An attacker can send a malicious signature and public key to trigger denial of service.
Remediation
Upgrade org.bouncycastle:bcprov-jdk18on
to version 1.78 or higher.
References
medium severity
new
- Vulnerable module: org.bouncycastle:bcprov-jdk18on
- Introduced through: com.sendgrid:sendgrid-java@4.10.2
Detailed paths
-
Introduced through: cf-toolsuite/cf-butler@cf-toolsuite/cf-butler#59fe18e6dc0f5092344c0195498e92e86b618f55 › com.sendgrid:sendgrid-java@4.10.2 › org.bouncycastle:bcprov-jdk18on@1.76
Overview
Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.
Remediation
Upgrade org.bouncycastle:bcprov-jdk18on
to version 1.78 or higher.
References
medium severity
- Vulnerable module: org.bouncycastle:bcprov-jdk18on
- Introduced through: com.sendgrid:sendgrid-java@4.10.2
Detailed paths
-
Introduced through: cf-toolsuite/cf-butler@cf-toolsuite/cf-butler#59fe18e6dc0f5092344c0195498e92e86b618f55 › com.sendgrid:sendgrid-java@4.10.2 › org.bouncycastle:bcprov-jdk18on@1.76
Overview
Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via javax.crypto.Cipher
exceptions and the OAEP interface vector leaks via the bit size of the decrypted data.
Remediation
Upgrade org.bouncycastle:bcprov-jdk18on
to version 1.78 or higher.
References
medium severity
new
- Vulnerable module: org.bouncycastle:bcprov-jdk18on
- Introduced through: com.sendgrid:sendgrid-java@4.10.2
Detailed paths
-
Introduced through: cf-toolsuite/cf-butler@cf-toolsuite/cf-butler#59fe18e6dc0f5092344c0195498e92e86b618f55 › com.sendgrid:sendgrid-java@4.10.2 › org.bouncycastle:bcprov-jdk18on@1.76
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the solveQuadraticEquation()
function used for certificate verification in ECCurve.java
. Passing a large f2m parameter can cause excessive CPU consumption.
Remediation
Upgrade org.bouncycastle:bcprov-jdk18on
to version 1.78 or higher.