From cbb64953c68bb2c50277bb84a587ccc44c35e79c Mon Sep 17 00:00:00 2001 From: kevin jin <126555726+binary-1024@users.noreply.github.com> Date: Fri, 17 Jan 2025 18:31:32 +0800 Subject: [PATCH] Improve GHSA-4h8f-2wvx-gg5w --- .../GHSA-4h8f-2wvx-gg5w.json | 29 +++++-------------- 1 file changed, 7 insertions(+), 22 deletions(-) diff --git a/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json b/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json index 474decd906a1a..3f9294d9b672a 100644 --- a/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json +++ b/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json @@ -1,14 +1,16 @@ { "schema_version": "1.4.0", "id": "GHSA-4h8f-2wvx-gg5w", - "modified": "2024-06-14T15:31:24Z", + "modified": "2024-06-14T15:32:27Z", "published": "2024-05-03T18:30:37Z", "aliases": [ "CVE-2024-34447" ], "summary": "Bouncy Castle Java Cryptography API vulnerable to DNS poisoning", "details": "An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.", - "severity": [], + "severity": [ + + ], "affected": [ { "package": { @@ -67,25 +69,6 @@ } ] }, - { - "package": { - "ecosystem": "Maven", - "name": "org.bouncycastle:bcprov-jdk13" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "1.61" - }, - { - "fixed": "1.78" - } - ] - } - ] - }, { "package": { "ecosystem": "Maven", @@ -133,7 +116,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + + ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-05-03T20:34:32Z",