/

CVE-2023-33201 Report - Details, Severity, & Advisorie...

CVE-2023-33201 Report - Details, Severity, & Advisories

Twingate Team

Apr 25, 2024

A recent vulnerability, CVE-2023-33201, has been identified in Bouncy Castle for Java, a cryptographic library, affecting versions before 1.74. This medium-severity issue involves an LDAP injection vulnerability that occurs during the certificate validation process. Systems running applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates are at risk. To mitigate this vulnerability, it is recommended to update to the fixed version of Bouncy Castle.

How do I know if I'm affected?

If you're using Bouncy Castle for Java, you might be affected by the vulnerability if your application uses an LDAP CertStore from Bouncy Castle to validate X.509 certificates and you're running a version before 1.74. The issue is related to the X509LDAPCertStoreSpi.java class, which did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, potentially leading to information disclosure. To know if you're affected, check your Bouncy Castle version and whether your application uses the mentioned class for certificate validation.

What should I do if I'm affected?

If you're affected by the vulnerability, it's crucial to update your Bouncy Castle for Java to version 1.74 or later. This will fix the LDAP injection issue in the X509LDAPCertStoreSpi.java class. For Debian users, upgrade your bouncycastle packages to version 1.60-1+deb10u1. Regularly check for updates and security advisories to ensure your system remains secure.

Is CVE-2023-33201 in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-33201 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This issue, an LDAP injection vulnerability in Bouncy Castle for Java before version 1.74, was added to the National Vulnerability Database on July 4, 2023. There is no due date provided, but the required action is to update Bouncy Castle for Java to version 1.74 or later to mitigate the vulnerability.

Weakness enumeration

The Weakness Enumeration for CVE-2023-33201 is identified as CWE-295, which refers to improper certificate validation. This issue affects Bouncy Castle for Java before version 1.74 and can lead to potential information disclosure.

For more details

CVE-2023-33201 is a medium-severity vulnerability affecting Bouncy Castle for Java before version 1.74. To learn more about this issue, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the resources listed below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

CVE-2023-33201 Report - Details, Severity, & Advisorie...

CVE-2023-33201 Report - Details, Severity, & Advisories

Twingate Team

Apr 25, 2024

A recent vulnerability, CVE-2023-33201, has been identified in Bouncy Castle for Java, a cryptographic library, affecting versions before 1.74. This medium-severity issue involves an LDAP injection vulnerability that occurs during the certificate validation process. Systems running applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates are at risk. To mitigate this vulnerability, it is recommended to update to the fixed version of Bouncy Castle.

How do I know if I'm affected?

If you're using Bouncy Castle for Java, you might be affected by the vulnerability if your application uses an LDAP CertStore from Bouncy Castle to validate X.509 certificates and you're running a version before 1.74. The issue is related to the X509LDAPCertStoreSpi.java class, which did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, potentially leading to information disclosure. To know if you're affected, check your Bouncy Castle version and whether your application uses the mentioned class for certificate validation.

What should I do if I'm affected?

If you're affected by the vulnerability, it's crucial to update your Bouncy Castle for Java to version 1.74 or later. This will fix the LDAP injection issue in the X509LDAPCertStoreSpi.java class. For Debian users, upgrade your bouncycastle packages to version 1.60-1+deb10u1. Regularly check for updates and security advisories to ensure your system remains secure.

Is CVE-2023-33201 in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-33201 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This issue, an LDAP injection vulnerability in Bouncy Castle for Java before version 1.74, was added to the National Vulnerability Database on July 4, 2023. There is no due date provided, but the required action is to update Bouncy Castle for Java to version 1.74 or later to mitigate the vulnerability.

Weakness enumeration

The Weakness Enumeration for CVE-2023-33201 is identified as CWE-295, which refers to improper certificate validation. This issue affects Bouncy Castle for Java before version 1.74 and can lead to potential information disclosure.

For more details

CVE-2023-33201 is a medium-severity vulnerability affecting Bouncy Castle for Java before version 1.74. To learn more about this issue, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the resources listed below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

CVE-2023-33201 Report - Details, Severity, & Advisories

Twingate Team

Apr 25, 2024

A recent vulnerability, CVE-2023-33201, has been identified in Bouncy Castle for Java, a cryptographic library, affecting versions before 1.74. This medium-severity issue involves an LDAP injection vulnerability that occurs during the certificate validation process. Systems running applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates are at risk. To mitigate this vulnerability, it is recommended to update to the fixed version of Bouncy Castle.

How do I know if I'm affected?

If you're using Bouncy Castle for Java, you might be affected by the vulnerability if your application uses an LDAP CertStore from Bouncy Castle to validate X.509 certificates and you're running a version before 1.74. The issue is related to the X509LDAPCertStoreSpi.java class, which did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, potentially leading to information disclosure. To know if you're affected, check your Bouncy Castle version and whether your application uses the mentioned class for certificate validation.

What should I do if I'm affected?

If you're affected by the vulnerability, it's crucial to update your Bouncy Castle for Java to version 1.74 or later. This will fix the LDAP injection issue in the X509LDAPCertStoreSpi.java class. For Debian users, upgrade your bouncycastle packages to version 1.60-1+deb10u1. Regularly check for updates and security advisories to ensure your system remains secure.

Is CVE-2023-33201 in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-33201 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This issue, an LDAP injection vulnerability in Bouncy Castle for Java before version 1.74, was added to the National Vulnerability Database on July 4, 2023. There is no due date provided, but the required action is to update Bouncy Castle for Java to version 1.74 or later to mitigate the vulnerability.

Weakness enumeration

The Weakness Enumeration for CVE-2023-33201 is identified as CWE-295, which refers to improper certificate validation. This issue affects Bouncy Castle for Java before version 1.74 and can lead to potential information disclosure.

For more details

CVE-2023-33201 is a medium-severity vulnerability affecting Bouncy Castle for Java before version 1.74. To learn more about this issue, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the resources listed below.