Vulnerabilities

 7 via 49 paths

Dependencies

 24

Source

 GitHub

Commit

 4bd12587

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 7
  • 1
Severity
  • 8
Status
  • 8
  • 0
  • 0

medium severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

  • Vulnerable module: commons-io:commons-io
  • Introduced through: commons-io:commons-io@2.11.0

Detailed paths

  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 commons-io:commons-io@2.11.0
    Remediation: Upgrade to commons-io:commons-io@2.14.0.

Overview

commons-io:commons-io is a The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the XmlStreamReader class. An attacker can cause the application to consume excessive CPU resources by sending specially crafted XML content.

Remediation

Upgrade commons-io:commons-io to version 2.14.0 or higher.

References

Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70, org.bouncycastle:bcpkix-jdk15on@1.70 and others

Detailed paths

  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpg-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption.

Note: This issue only applies to applications which do consume unvetted, or otherwise unvalidated, ASN.1 encodings.

Remediation

A fix was pushed into the master branch but not yet published.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70, org.bouncycastle:bcpkix-jdk15on@1.70 and others

Detailed paths

  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpg-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An attacker can cause excessive resource allocation by submitting specially crafted ASN.1 objects, potentially leading to service disruption.

Workaround

This vulnerability can be mitigated by limiting the size of ASN.1 objects that can be loaded from untrusted sources, thereby capping the maximum size of a Name Constraints structure.

Remediation

A fix was pushed into the master branch but not yet published.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Observable Discrepancy

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70, org.bouncycastle:bcpkix-jdk15on@1.70 and others

Detailed paths

  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpg-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.

Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.

Remediation

There is no fixed version for org.bouncycastle:bcprov-jdk15on.

References

Observable Discrepancy vulnerability report

medium severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70, org.bouncycastle:bcpkix-jdk15on@1.70 and others

Detailed paths

  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpg-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the org.bouncycastle.openssl.PEMParser class. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError.

Workaround

The attack can be avoided by filtering PEM requests containing EXTERNAL tagged encodings.

Remediation

There is no fixed version for org.bouncycastle:bcprov-jdk15on.

References

Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70, org.bouncycastle:bcpkix-jdk15on@1.70 and others

Detailed paths

  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpg-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the solveQuadraticEquation() function used for certificate verification in ECCurve.java. Passing a large f2m parameter can cause excessive CPU consumption.

Remediation

There is no fixed version for org.bouncycastle:bcprov-jdk15on.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Information Exposure

  • Vulnerable module: org.bouncycastle:bcprov-jdk15on
  • Introduced through: org.bouncycastle:bcprov-jdk15on@1.70, org.bouncycastle:bcpkix-jdk15on@1.70 and others

Detailed paths

  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpg-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70
  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.bouncycastle:bcmail-jdk15on@1.70 org.bouncycastle:bcpkix-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on@1.70

Overview

org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms.

Affected versions of this package are vulnerable to Information Exposure due to missing validation for the X.500 name of any certificate, subject, or issuer. The presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data.

Note:

The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.

Remediation

A fix was pushed into the master branch but not yet published.

References

Information Exposure vulnerability report

medium severity

EPL-1.0 license

  • Module: org.eclipse.mylyn.github:org.eclipse.egit.github.core
  • Introduced through: org.eclipse.mylyn.github:org.eclipse.egit.github.core@2.1.5

Detailed paths

  • Introduced through: viewv/EncBox@viewv/EncBox#4bd12587ce7fb2f0f7d66e16dca815915f71bb09 org.eclipse.mylyn.github:org.eclipse.egit.github.core@2.1.5

EPL-1.0 license

EPL-1.0 license vulnerability report