<p>Upgrade <code>org.bouncycastle:bcprov-jdk18on</code> to version 1.78 or higher.</p>

Observable Discrepancy Affecting org.bouncycastle:bcprov-jdk18on package, versions [,1.78)

Snyk CVSS

Attack Complexity High

Confidentiality High

Threat Intelligence

Exploit Maturity Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGBOUNCYCASTLE-6613076
published 14 Apr 2024
disclosed 11 Apr 2024
credit Hubert Kario

Report a new vulnerability Found a mistake?

Introduced: 11 Apr 2024

New CVE-2024-30171 Open this link in a new tab CWE-203 Open this link in a new tab

How to fix?

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.78 or higher.

Overview

Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.

Note: The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds.