Versio.io

CVE-2018-1000613

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 09-07-2018 10:29
Last modified: - 14-01-2022 04:20
Total changes: - 3

Description

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Low
Attack complexity
Network
Attack vector
High
Availability
High
Confidentiality
High
Integrity
None
Privileges required
Unchanged
Scope
None
User interaction
9.8
Base score
3.9
5.9
Exploitability score
Impact score
 

Verification logic

OR
OR
vendor=bouncycastle AND product=legion-of-the-bouncy-castle-java-crytography-api AND versionStartIncluding=1.58 AND versionEndExcluding=1.60
OR
vendor=netapp AND product=oncommand_workflow_automation AND version=-
OR
vendor=opensuse AND product=leap AND version=15.1
OR
vendor=oracle AND product=api_gateway AND version=11.1.2.4.0
vendor=oracle AND product=banking_platform AND version=2.6.0
vendor=oracle AND product=banking_platform AND version=2.6.1
vendor=oracle AND product=banking_platform AND version=2.6.2
vendor=oracle AND product=business_process_management_suite AND version=11.1.1.9.0
vendor=oracle AND product=business_process_management_suite AND version=12.1.3.0.0
vendor=oracle AND product=business_process_management_suite AND version=12.2.1.3.0
vendor=oracle AND product=business_transaction_management AND version=12.1.0
vendor=oracle AND product=communications_application_session_controller AND version=3.7.1
vendor=oracle AND product=communications_application_session_controller AND version=3.8.0
vendor=oracle AND product=communications_converged_application_server AND versionEndExcluding=7.0.0.1
vendor=oracle AND product=communications_converged_application_server AND version=7.0.0.1
vendor=oracle AND product=communications_convergence AND version=3.0.2
vendor=oracle AND product=communications_diameter_signaling_router AND version=8.0.0
vendor=oracle AND product=communications_diameter_signaling_router AND version=8.1
vendor=oracle AND product=communications_diameter_signaling_router AND version=8.2
vendor=oracle AND product=communications_diameter_signaling_router AND version=8.2.1
vendor=oracle AND product=communications_webrtc_session_controller AND versionEndExcluding=7.2
vendor=oracle AND product=communications_webrtc_session_controller AND version=7.2
vendor=oracle AND product=data_integrator AND version=12.2.1.3.0
vendor=oracle AND product=enterprise_manager_base_platform AND version=12.1.0.5.0
vendor=oracle AND product=enterprise_manager_base_platform AND version=13.2.0.0
vendor=oracle AND product=enterprise_manager_base_platform AND version=13.3.0.0
vendor=oracle AND product=enterprise_manager_for_fusion_middleware AND version=13.2.0.0
vendor=oracle AND product=enterprise_manager_for_fusion_middleware AND version=13.3.0.0
vendor=oracle AND product=enterprise_repository AND version=11.1.1.7.0
vendor=oracle AND product=enterprise_repository AND version=12.1.3.0.0
vendor=oracle AND product=managed_file_transfer AND version=12.1.3.0.0
vendor=oracle AND product=managed_file_transfer AND version=12.2.1.3.0
vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.55
vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.56
vendor=oracle AND product=peoplesoft_enterprise_peopletools AND version=8.57
vendor=oracle AND product=retail_convenience_and_fuel_pos_software AND version=2.8.1
vendor=oracle AND product=retail_xstore_point_of_service AND version=7.0
vendor=oracle AND product=retail_xstore_point_of_service AND version=7.1
vendor=oracle AND product=soa_suite AND version=12.1.3.0.0
vendor=oracle AND product=soa_suite AND version=12.2.1.3.0
vendor=oracle AND product=utilities_network_management_system AND version=1.12.0.3
vendor=oracle AND product=utilities_network_management_system AND version=2.3.0.0
vendor=oracle AND product=utilities_network_management_system AND version=2.3.0.1
vendor=oracle AND product=utilities_network_management_system AND version=2.3.0.2
vendor=oracle AND product=webcenter_portal AND version=11.1.1.9.0
vendor=oracle AND product=webcenter_portal AND version=12.2.1.3.0
vendor=oracle AND product=weblogic_server AND version=12.2.1.3
 

Reference

 


Keywords

NVD

 

CVE-2018-1000613

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.