Vulnerabilities

 1 via 2 paths

Dependencies

 13

Source

 GitHub

Commit

 b538d030

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Observable Timing Discrepancy

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: org.bouncycastle:bcpkix-jdk18on@1.78

Detailed paths

  • Introduced through: cryptomator/cryptolib@cryptomator/cryptolib#b538d030fa4885ba0ad9714b75bacb1f6da5c39c org.bouncycastle:bcpkix-jdk18on@1.78 org.bouncycastle:bcprov-jdk18on@1.78
  • Introduced through: cryptomator/cryptolib@cryptomator/cryptolib#b538d030fa4885ba0ad9714b75bacb1f6da5c39c org.bouncycastle:bcpkix-jdk18on@1.78 org.bouncycastle:bcutil-jdk18on@1.78 org.bouncycastle:bcprov-jdk18on@1.78

Overview

Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via javax.crypto.Cipher exceptions and the OAEP interface vector leaks via the bit size of the decrypted data.

Remediation

There is no fixed version for org.bouncycastle:bcprov-jdk18on.

References

Observable Timing Discrepancy vulnerability report