## CVE-2024-29857 - High Severity Vulnerability

Vulnerable Library - bouncycastle.cryptography.2.2.1.nupkg

BouncyCastle.NET is a popular cryptography library for .NET

Library home page: https://api.nuget.org/packages/bouncycastle.cryptography.2.2.1.nupkg

Path to dependency file: /Tests/Converter/Cube.Pdf.Converter.Tests.csproj

Path to vulnerable library: /tmp/ws-scm/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg,/tmp/ws-scm/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg,/tmp/ws-scm/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg,/tmp/ws-scm/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg,/tmp/ws-scm/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg,/tmp/ws-scm/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg,/tmp/ws-scm/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg,/tmp/ws-scm/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg,/tmp/ws-scm/packages/bouncycastle.cryptography/2.2.1/bouncycastle.cryptography.2.2.1.nupkg

Dependency Hierarchy: - Cube.Pdf.Itext-9.1.0 (Root Library) - itext.bouncy-castle-adapter.8.0.5.nupkg - :x: **bouncycastle.cryptography.2.2.1.nupkg** (Vulnerable Library)

Found in HEAD commit: d0002248b833fa0612caf2b7e163fa30df38b8cb

Found in base branch: master

Vulnerability Details

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Publish Date: 2024-05-14

URL: CVE-2024-29857

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-8xfc-gm6g-vgpv

Release Date: 2024-05-14

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1

*** Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2024-29857 (High) detected in bouncycastle.cryptography.2.2.1.nupkg - autoclosed #47

Company

Community

Support

Connect