Vulnerabilities

 4 via 4 paths

Dependencies

 128

Source

 GitHub

Commit

 59fe18e6

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 3
Status
  • 4
  • 0
  • 0

high severity
new

Infinite loop

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: com.sendgrid:sendgrid-java@4.10.2

Detailed paths

  • Introduced through: cf-toolsuite/cf-butler@cf-toolsuite/cf-butler#59fe18e6dc0f5092344c0195498e92e86b618f55 com.sendgrid:sendgrid-java@4.10.2 org.bouncycastle:bcprov-jdk18on@1.76

Overview

Affected versions of this package are vulnerable to Infinite loop in ED25519 verification in the ScalarUtil class. An attacker can send a malicious signature and public key to trigger denial of service.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.78 or higher.

References

Infinite loop vulnerability report

medium severity
new

Observable Discrepancy

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: com.sendgrid:sendgrid-java@4.10.2

Detailed paths

  • Introduced through: cf-toolsuite/cf-butler@cf-toolsuite/cf-butler#59fe18e6dc0f5092344c0195498e92e86b618f55 com.sendgrid:sendgrid-java@4.10.2 org.bouncycastle:bcprov-jdk18on@1.76

Overview

Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.

Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.78 or higher.

References

Observable Discrepancy vulnerability report

medium severity

Observable Timing Discrepancy

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: com.sendgrid:sendgrid-java@4.10.2

Detailed paths

  • Introduced through: cf-toolsuite/cf-butler@cf-toolsuite/cf-butler#59fe18e6dc0f5092344c0195498e92e86b618f55 com.sendgrid:sendgrid-java@4.10.2 org.bouncycastle:bcprov-jdk18on@1.76

Overview

Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via javax.crypto.Cipher exceptions and the OAEP interface vector leaks via the bit size of the decrypted data.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.78 or higher.

References

Observable Timing Discrepancy vulnerability report

medium severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: com.sendgrid:sendgrid-java@4.10.2

Detailed paths

  • Introduced through: cf-toolsuite/cf-butler@cf-toolsuite/cf-butler#59fe18e6dc0f5092344c0195498e92e86b618f55 com.sendgrid:sendgrid-java@4.10.2 org.bouncycastle:bcprov-jdk18on@1.76

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the solveQuadraticEquation() function used for certificate verification in ECCurve.java. Passing a large f2m parameter can cause excessive CPU consumption.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.78 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report