amank22/ApkSize-Analyzer

CVE-2018-1000180 (High) detected in bcprov-jdk15on-1.56.jar

Closed this issue · 1 comments

mend-bolt-for-github commented

CVE-2018-1000180 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: ApkSize-Analyzer/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

  • apkanalyzer-27.0.1.jar (Root Library)
    • sdk-common-27.0.1.jar
      • bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: 194e141236cff70db326c0ec4edb25b034178df5

Found in base branch: main

Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180

Release Date: 2018-06-05

Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.60,org.bouncycastle:bcprov-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk15on:1.60

Step up your Open Source Security Game with WhiteSource here

stale commented

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.