Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-33201
HistoryJul 05, 2023 - 12:00 a.m.

CVE-2023-33201

2023-07-0500:00:00
ubuntu.com
ubuntu.com
32
cve-2023-33201
bouncy castle
ldap injection
x.509 certificates
subject name
ldap search filter
certificate validation
debian
unix

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

23.2%

Bouncy Castle For Java before 1.74 is affected by an LDAP injection
vulnerability. The vulnerability only affects applications that use an LDAP
CertStore from Bouncy Castle to validate X.509 certificates. During the
certificate validation process, Bouncy Castle inserts the certificate’s
Subject Name into an LDAP search filter without any escaping, which leads
to an LDAP injection vulnerability.

Bugs

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

23.2%