CVE-2024-34447

Sažetak

An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

Reference

https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
https://security.netapp.com/advisory/ntap-20240614-0007/
https://www.bouncycastle.org/latest_releases.html
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
https://security.netapp.com/advisory/ntap-20240614-0007/
https://www.bouncycastle.org/latest_releases.html

CVSS

Base:	7.5
Impact:	3.6
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

17-06-2025 - 20:15

Objavljeno

03-05-2024 - 16:15