CVE-2020-15522
MEDIUM5.1EPSS 0.41%Timing based private key exposure in Bouncy Castle
發布日:2021/8/13修改日:2026/4/28
描述
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
受影響套件(10)
- Debian/bouncycastlefrom 0, < 1.68-1
- Maven/org.bouncycastle:bc-fipsfrom 0, < 1.0.2.1
- Maven/org.bouncycastle:bcprov-ext-jdk15onfrom 0, < 1.66
- Maven/org.bouncycastle:bcprov-ext-jdk16from 0, < 1.66
- Maven/org.bouncycastle:bcprov-jdk14from 0, < 1.66
- Maven/org.bouncycastle:bcprov-jdk15from 0, < 1.66
- Maven/org.bouncycastle:bcprov-jdk15onfrom 0, < 1.66
- Maven/org.bouncycastle:bcprov-jdk15to18from 0, < 1.66
- Maven/org.bouncycastle:bcprov-jdk16from 0, < 1.66
- NuGet/BouncyCastlefrom 0, < 1.8.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.1 | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-15522
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-15522
- WEBhttps://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522
- WEBhttps://github.com/bcgit/bc-java/wiki/CVE-2020-15522
- WEBhttps://security.netapp.com/advisory/ntap-20210622-0007
- WEBhttps://www.bouncycastle.org/releasenotes.html