CVE-2023-33201

Published: Jul 5, 2023Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

Affected (1)

Products: Bouncycastle: Bc Java

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Bouncycastle Bc Java	Before 1.74

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (10)

https://bouncycastle.org

Source: cve@mitre.org

Product

https://github.com/bcgit/bc-java/commit/e8c409a8389c815ea3fda5e8b94c92fdfe583bcc

Source: cve@mitre.org

Patch

https://github.com/bcgit/bc-java/wiki/CVE-2023-33201

Source: cve@mitre.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html

Source: cve@mitre.org

https://security.netapp.com/advisory/ntap-20230824-0008/

Source: cve@mitre.org

https://bouncycastle.org

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://github.com/bcgit/bc-java/commit/e8c409a8389c815ea3fda5e8b94c92fdfe583bcc

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/bcgit/bc-java/wiki/CVE-2023-33201

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20230824-0008/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.