Description
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
References (5)
Core 5
Core References
Product
https://bouncycastle.org
Vendor Advisory
https://github.com/bcgit/bc-java/wiki/CVE-2023-33201
Vendor Advisory
https://security.netapp.com/advisory/ntap-20230824-0008/
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html
Scores
CVSS v3
5.3
EPSS
0.0064
EPSS Percentile
45.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (13)
bouncycastle/bc-java
< 1.74
org.bouncycastle/bcprov-debug-jdk14
1.49 - 1.74Maven
org.bouncycastle/bcprov-debug-jdk15on
1.49Maven
org.bouncycastle/bcprov-debug-jdk15to18
0 - 1.74Maven
org.bouncycastle/bcprov-debug-jdk18on
0 - 1.74Maven
org.bouncycastle/bcprov-ext-jdk14
1.49 - 1.74Maven
org.bouncycastle/bcprov-ext-jdk15on
1.49Maven
org.bouncycastle/bcprov-ext-jdk15to18
0 - 1.74Maven
org.bouncycastle/bcprov-ext-jdk18on
0 - 1.74Maven
org.bouncycastle/bcprov-jdk14
1.49 - 1.74Maven
... and 3 more
Published
Jul 05, 2023
Tracked Since
Feb 18, 2026