CVE-2023-33202

low-risk
Published 2023-11-23

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)

Do I need to act?

-
0.16% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (2)

Bouncy Castle For Java
Fips Java Api

Affected Vendors

Bouncycastle

References (7)

Product https://bouncycastle.org
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902023%E2%80%9033202
Exploit https://github.com/bcgit/bc-java/wiki/CVE-2023-33202
Third Party Advisory https://security.netapp.com/advisory/ntap-20240125-0001/
Product https://bouncycastle.org
Exploit https://github.com/bcgit/bc-java/wiki/CVE-2023-33202
Third Party Advisory https://security.netapp.com/advisory/ntap-20240125-0001/
26
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 7/34 · Low