CVE-2024-34447

high

Description

An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.

References

https://www.bouncycastle.org/latest_releases.html

https://security.netapp.com/advisory/ntap-20240614-0007/

https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447

Details

Source: Mitre, NVD

Published: 2024-05-03

Updated: 2024-06-14

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High