From a379f31368788a67537ad3c20cdb436258e784ae Mon Sep 17 00:00:00 2001 From: Tim Vasenin Date: Thu, 18 Jun 2026 04:24:47 +0700 Subject: [PATCH] Improve GHSA-p93r-85wp-75v3 --- .../GHSA-p93r-85wp-75v3.json | 128 +++++++++++++++++- 1 file changed, 121 insertions(+), 7 deletions(-) diff --git a/advisories/github-reviewed/2026/04/GHSA-p93r-85wp-75v3/GHSA-p93r-85wp-75v3.json b/advisories/github-reviewed/2026/04/GHSA-p93r-85wp-75v3/GHSA-p93r-85wp-75v3.json index 7a13240d6cbe2..82af81d557cd7 100644 --- a/advisories/github-reviewed/2026/04/GHSA-p93r-85wp-75v3/GHSA-p93r-85wp-75v3.json +++ b/advisories/github-reviewed/2026/04/GHSA-p93r-85wp-75v3/GHSA-p93r-85wp-75v3.json @@ -1,17 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-p93r-85wp-75v3", - "modified": "2026-04-25T23:25:24Z", + "modified": "2026-04-25T23:25:25Z", "published": "2026-04-17T18:31:50Z", "aliases": [ "CVE-2026-5598" ], "summary": "Bouncy Castle Has Covert Timing Channel Vulnerability", - "details": "Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.84.", + "details": "Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA:\n- From 1.71 before 1.80.2\n- From 1.81 before 1.81.1\n- From 1.82 before 1.84\n\nIssue affecting: BC 1.71 to 1.80.1, BC 1.81, BC 1.82 to BC 1.83.\n\nFixed versions: BC 1.80.2, BC 1.81.1, BC 1.84", "severity": [ { "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/S:P/AU:Y/U:Red" + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" } ], "affected": [ @@ -28,7 +28,7 @@ "introduced": "1.71" }, { - "fixed": "1.84" + "fixed": "1.80.2" } ] } @@ -47,7 +47,7 @@ "introduced": "1.71" }, { - "fixed": "1.84" + "fixed": "1.80.2" } ] } @@ -65,6 +65,120 @@ { "introduced": "1.71" }, + { + "fixed": "1.80.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.bouncycastle:bcprov-jdk15to18" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.81" + }, + { + "fixed": "1.81.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.bouncycastle:bcprov-jdk15to18" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.82" + }, + { + "fixed": "1.84" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.bouncycastle:bcprov-jdk14" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.81" + }, + { + "fixed": "1.81.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.bouncycastle:bcprov-jdk14" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.82" + }, + { + "fixed": "1.84" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.bouncycastle:bcprov-jdk18on" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.81" + }, + { + "fixed": "1.81.1" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.bouncycastle:bcprov-jdk18on" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.82" + }, { "fixed": "1.84" } @@ -92,14 +206,14 @@ }, { "type": "WEB", - "url": "https://github.com/bcgit/bc-java/wiki/CVE-2026-5598" + "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905598" } ], "database_specific": { "cwe_ids": [ "CWE-385" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2026-04-25T23:25:24Z", "nvd_published_at": "2026-04-15T10:16:49Z"