WS-2019-0509 (Medium) detected in bcprov-jdk15on-1.56.jar

Question

WS-2019-0509 (Medium) detected in bcprov-jdk15on-1.56.jar

Closed this issue 3 years ago · 1 comments

mend-bolt-for-github commented 3 years ago

WS-2019-0509 - Medium Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: ApkSize-Analyzer/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

apkanalyzer-27.1.1.jar (Root Library)
- sdk-common-27.1.1.jar
  - ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Bouncy Castle through 1.68 is vulnerable to Denial of Service (DoS). The Dump.class file utilizes the FileInputStream object when reading from user-provided files, but doesn't close these streams properly.

Publish Date: 2019-12-24

URL: WS-2019-0509

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Answer 1 · 2021-06-02T00:49:32.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.