CVE-2023-33202

Description

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)

How to fix CVE-2023-33202

To remediate CVE-2023-33202, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 1.73 or later
• —upgrade to 1.73 or later
• —upgrade to 1.73 or later
• —upgrade to 1.73 or later
• —upgrade to 1.73 or later
• —no fix listed
• —upgrade to 1.73 or later
• —upgrade to 1.73 or later
• —upgrade to 1.73 or later

Is CVE-2023-33202 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (10)

• from 0
• from 0, < 1.73
• from 0, < 1.73
• from 0, < 1.73
• from 0, < 1.73
• from 0, < 1.73
• from 0
• from 0, < 1.73
• from 0, < 1.73
• from 0, < 1.73

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-33202
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-33202
• PATCHgithub.com/bcgit/bc-java
• WEBbouncycastle.org
• WEBgithub.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c