PT-2023-7206 · Unknown+2 · Bouncy Castle For Java+2
Published
2023-11-23
·
Updated
2025-08-18
·
CVE-2023-33202
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Bouncy Castle for Java versions prior to 1.73
BC-FJA versions prior to 1.0.2.4
Description
The issue is related to insufficient input validation in the Bouncy Castle org.bouncycastle.openssl.PEMParser class, which parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. An attacker can exploit this by crafting ASN.1 data, causing an OutOfMemoryError that enables a denial of service attack.
Recommendations
For Bouncy Castle for Java versions prior to 1.73, update to version 1.73 or later to resolve the issue.
For BC-FJA versions prior to 1.0.2.4, update to version 1.0.2.4 or later to resolve the issue.
As a temporary workaround, consider restricting the use of the
org.bouncycastle.openssl.PEMParser class until a patch is available.Exploit
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bc-Fja
Bouncy Castle For Java
Debian