[CASSANDRA-18723] bcprov-jdk15on-1.70.jar vulnerability: CVE-2023-33201 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 5.0-alpha1, 5.0
Component/s: Dependencies
Labels:
None

Bug Category:
Security - Privilege Escalation
Severity:
Normal
Complexity:
Normal
Discovered By:
User Report
Platform:

All
Impacts:

None
Test and Documentation Plan:

Hide

run dependency-check

Show
run dependency-check

Description

https://nvd.nist.gov/vuln/detail/CVE-2023-33201

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

Attachments

Issue Links

is fixed by

CASSANDRA-18729 Remove unnecessary Netty dependencies after upgrade to 4.1.96

Resolved

Activity

People

Assignee:: Brandon Williams

Reporter:: Brandon Williams

Authors:: Brandon Williams

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Aug/23 10:58

Updated:: 12/Sep/23 13:02

Resolved:: 08/Aug/23 14:58