CVE-2024-34447

EUVD-2024-1414
An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Debian logo
Debian Releases
Debian Product
Codename
bouncycastle
bookworm
no-dsa
bullseye
no-dsa
buster
postponed
forky
1.80-3
fixed
sid
1.80-3
fixed
trixie
1.80-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bouncycastle
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
mantic
ignored
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
xenial
needs-triage
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bouncycastle
Amazon Linux 2023
0:1.70-4.amzn2023.0.5
fixed
bouncycastle-javadoc
Amazon Linux 2023
0:1.70-4.amzn2023.0.5
fixed
bouncycastle-mail
Amazon Linux 2023
0:1.70-4.amzn2023.0.5
fixed
bouncycastle-pg
Amazon Linux 2023
0:1.70-4.amzn2023.0.5
fixed
bouncycastle-pkix
Amazon Linux 2023
0:1.70-4.amzn2023.0.5
fixed
bouncycastle-tls
Amazon Linux 2023
0:1.70-4.amzn2023.0.5
fixed
bouncycastle-util
Amazon Linux 2023
0:1.70-4.amzn2023.0.5
fixed