bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy ...

Covert timing channel vulnerability at Bouncy Castle dependency at Crucible Server

This High severity Covert timing channel vulnerability was introduced in version 4.9.0 of Crucible Server. Atlassian recommends that Crucible Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Crucible Da...

bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy ...

CVE-2026-5598

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA core. A covert timing channel vulnerability, caused by non-constant time comparisons, risks the leakage of private keys in the FrodoKEM implementation. An unauthenticated, remote attacker can potentially exploit this timing discrepancy ...

EUVD-2026-22872

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. Non-constant time comparisons risk private key leakage in FrodoKEM. This issue affects BC-JAVA: from 2.17.3 before 1.84...

SUSE CVE-2026-5598

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84...

CVE-2026-5598

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84...

CVE-2026-5598

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84...

CVE-2026-5598

CVE-2026-5598 affects BC-JAVA (Legion of the BC) where non-constant time comparisons in FrodoKEM can create a covert timing channel that risks private-key leakage. Affected line: BC-JAVA from 2.17.3 before 1.84. The issue is rated as CRITICAL (CVSSv4-like metrics shown: NETWORK, LOW ATTACK, no us...

CVE-2026-5598

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84...

cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection

An XML External Entity XXE injection vulnerability was found in the CycloneDX Java core library’s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM XML is validated, external XML entities can be processed XXE, allowing an attacker to...

EUVD-2022-7625

Malicious code in bioql PyPI...

ai.starlake:starlake-streaming_2.13 (>=1.3.3 <=1.3.5), chat.octet:llama-java-core (>=1.4.1 <=1.4.2) +294 more potentially affected by CVE-2025-59340 via com.hubspot.jinjava:jinjava (>=1.0.3 <=2.7.4)

com.hubspot.jinjava:jinjava MAVEN version =1.0.3, =1.3.3, =1.4.1, =1.0.2, =1.0.2, =0.1.0, =1.3.0, =0.3.0, =0.3.0, =0.1.0, =0.1.0, =0.1.0, =0.1.6 - com.elevenware.felson.examples:authserver =0.0.2 - com.elevenware.felson.examples:felson-examples-app =0.0.2 - com.elevenware.felson.examples:one =0.0...

Linux Distros Unpatched Vulnerability : CVE-2022-3509

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a...

Memory handling vulnerability in ProtocolBuffers Java core and lite

...

CVE-2024-45294

A flaw was found in HAPI FHIR - HL7 FHIR Core Artifacts. eXtensible Stylesheet Language Transformations XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host...

CVE-2022-3510

A flaw was found in Message-Type Extensions in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbag...

Updated protobuf packages fix security vulnerability

Parsing vulnerability for the MessageSet type in the ProtocolBuffers for protobuf-python can lead to out of memory can lead to a Denial of Service against services receiving unsanitized input. CVE-2022-1941 A parsing issue with binary data in protobuf-java core and lite can lead to a denial of...

Security Bulletin: IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509)

Summary Multiple issues were identified within protobuf-java-core which is used by fabric gateway which is used by IBM MQ Blockchain bridge to provide Blockchain functionality to IBM MQ. Vulnerability Details CVEID:CVE-2022-3510 DESCRIPTION: protobuf-java core and lite are vulnerable to a denial ...

SUSE CVE-2022-3510

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown...