CVE-2023-33201

Name of the Vulnerable Software and Affected Versions Bouncy Castle For Java versions prior to 1.74

Description The issue is related to an LDAP injection vulnerability in Bouncy Castle For Java. It affects applications that use an LDAP CertStore to validate X.509 certificates. During certificate validation, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without proper escaping, leading to the vulnerability. This can be exploited to disclose protected information, especially if an attacker generates a self-signed certificate with a subject name containing special characters. The exploitation depends on the target LDAP directory's structure and the type of errors exposed to the user.

Recommendations For versions prior to 1.74, update to version 1.74 or later to resolve the issue. As a temporary workaround, consider disabling the use of LDAP CertStore from Bouncy Castle for validating X.509 certificates until a patch is applied. Restrict access to the X509LDAPCertStoreSpi.java class to minimize the risk of exploitation. Avoid using certificate subject names that contain special characters in the affected API endpoints until the issue is resolved.