Replies: 2 comments
-
|
I think you must be using a third-party repackaging of BC; please say e.g. which NuGet package you are referencing. The vulnerability mentioned exists in the BouncyCastle.Cryptography NuGet package, versions from 2.1.0 to 2.3.0 (fixed in 2.3.1/2.4.0). I guess you are not using this because it does not have a .NET Framework 4.5 target. The BouncyCastle NuGet package (best match I can guess for the Snyk entry) is a third party package that we don't control, but in any case version 1.8.9 is from Jan, 2021, whereas the problem change wasn't made in our git until Nov, 2022, so couldn't be present there. |
Beta Was this translation helpful? Give feedback.
-
|
Hello Peter, thanks for your answer. You are correct, the Nuget that uses BouncyCastle.Cryptographyt is iTextSharp. I have BouncyCastle 1.8.9 installed but iI'm searching which package are using it or if I can delete. When set a new PR with snyk will text again about this. |
Beta Was this translation helpful? Give feedback.
-
Hi, on snyk we have a high severity vulnerability. Any solution? I'm using a 4.5 framework project, not posible to upgrade :
This is the resume :
Detailed paths
Introduced through: project@* › BouncyCastle@1.8.9
Fix: No remediation path available.
Security information
Factors contributing to the scoring:
Snyk: CVSS v3.1 7.5 - High Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
BouncyCastle is a C# implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Infinite loop in ED25519 verification in the ScalarUtil class. An attacker can send a malicious signature and public key to trigger denial of service.Detailed paths
Introduced through: project@* › BouncyCastle@1.8.9
Fix: No remediation path available.
Security information
Factors contributing to the scoring:
Snyk: CVSS v3.1 7.5 - High Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
BouncyCastle is a C# implementation of cryptographic algorithms.
Affected versions of this package are vulnerable to Infinite loop in ED25519 verification in the ScalarUtil class. An attacker can send a malicious signature and public key to trigger denial of service.Ω
Beta Was this translation helpful? Give feedback.
All reactions