Skip to content

Bouncy Castle Java Cryptography API vulnerable to DNS poisoning

Low severity GitHub Reviewed Published May 3, 2024 to the GitHub Advisory Database • Updated Jan 17, 2025

Package

maven org.bouncycastle:bcprov-jdk12 (Maven)

Affected versions

>= 1.61, < 1.78

Patched versions

1.78
maven org.bouncycastle:bcprov-jdk14 (Maven)
>= 1.61, < 1.78
1.78
maven org.bouncycastle:bcprov-jdk15to18 (Maven)
>= 1.61, < 1.78
1.78
maven org.bouncycastle:bcprov-jdk18on (Maven)
>= 1.61, < 1.78
1.78

Description

An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

References

Published by the National Vulnerability Database May 3, 2024
Published to the GitHub Advisory Database May 3, 2024
Reviewed May 3, 2024
Last updated Jan 17, 2025

Severity

Low

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(18th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2024-34447

GHSA ID

GHSA-4h8f-2wvx-gg5w

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.