SCA: security update for org.bouncycastle:bcprov-debug-jdk14, org.bouncycastle:bcprov-debug-jdk15to18, org.bouncycastle:bcprov-debug-jdk18on, org.bouncycastle:bcprov-ext-jdk14, org.bouncycastle:bcprov-ext-jdk15to18, org.bouncycastle:bcprov-ext-jdk18on, org.bouncycastle:bcprov-jdk14, org.bouncycastle:bcprov-jdk15to18, org.bouncycastle:bcprov-jdk18on (GHSA-hr8g-6v94-x4m9)

medium Tenable Self-Hosted Container Security Plugin ID 415914

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only
affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During
the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP
search filter without any escaping, which leads to an LDAP injection vulnerability. (CVE-2023-33201)

See Also

https://github.com/advisories/GHSA-hr8g-6v94-x4m9

Plugin Details

Severity: Medium

ID: 415914

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.2

Percentile: 51.15

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2023-33201

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/5/2023

Vulnerability Publication Date: 7/5/2023

Reference Information

CVE: CVE-2023-33201

cwe: CWE-295