CVE-2023-33202
MEDIUMBouncy Castle for Java < 1.73 - Denial of Service via PEM Parser
Title source: llmDescription
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
References (4)
Core 4
Core References
Product
https://bouncycastle.org
Exploit, Third Party Advisory
https://github.com/bcgit/bc-java/wiki/CVE-2023-33202
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240125-0001/
Third Party Advisory
https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902023%E2%80%9033202
Scores
CVSS v3
5.5
EPSS
0.0093
EPSS Percentile
56.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (11)
bouncycastle/bouncy_castle_for_java
< 1.73
bouncycastle/fips_java_api
< 1.0.2.4
org.bouncycastle/bcpkix-jdk18on
0 - 1.73Maven
org.bouncycastle/bcprov-ext-jdk15on
0 - 1.73Maven
org.bouncycastle/bcprov-ext-jdk16
0 - 1.73Maven
org.bouncycastle/bcprov-jdk14
0 - 1.73Maven
org.bouncycastle/bcprov-jdk15
0 - 1.73Maven
org.bouncycastle/bcprov-jdk15on
0Maven
org.bouncycastle/bcprov-jdk15to18
0 - 1.73Maven
org.bouncycastle/bcprov-jdk16
0 - 1.73Maven
... and 1 more
Published
Nov 23, 2023
Tracked Since
Feb 18, 2026