Vulnerability Description
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bouncycastle | Bouncy Castle For Java | < 1.73 |
| Bouncycastle | Fips Java Api | < 1.0.2.4 |
Related Weaknesses (CWE)
References
- https://bouncycastle.orgProduct
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902023%E2%80%9033202
- https://github.com/bcgit/bc-java/wiki/CVE-2023-33202ExploitThird Party Advisory
- https://security.netapp.com/advisory/ntap-20240125-0001/Third Party Advisory
- https://bouncycastle.orgProduct
- https://github.com/bcgit/bc-java/wiki/CVE-2023-33202ExploitThird Party Advisory
- https://security.netapp.com/advisory/ntap-20240125-0001/Third Party Advisory
FAQ
What is CVE-2023-33202?
CVE-2023-33202 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams c...
How severe is CVE-2023-33202?
CVE-2023-33202 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-33202?
Check the references section above for vendor advisories and patch information. Affected products include: Bouncycastle Bouncy Castle For Java, Bouncycastle Fips Java Api.