org.bouncycastle:bcpg-jdk18on@1.81 : bcpg-jdk18on-1.81.jar

[lxf136]

Fortify verification.

Summary
BouncyCastle is vulnerable due to Improper Verification of Cryptographic Signature. The constructor in the ArmoredInputStream class does not properly sanitize ASCII armor header keys when processing signed messages. An attacker can exploit this vulnerability by intercepting and altering a signed message, including text not covered by the signature, and tricking the recipient into believing it is part of the signed message.

Component Name: org.bouncycastle:bcpg-jdk18on
Component Version: 1.81
Repository: maven

Primary Rule ID: sonatype-2025-001912

CVSS Base Score: 6.9
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
File Locations
fortifyUpload/subModuleDependencies/bcpg-jdk18on-1.81.jar
Standards and Best Practices
OWASP 2021
A06:2021 – Vulnerable and Outdated Components
PCI 4.0
6.3.3 – All system components are protected from known vulnerabilities by installing applicable security patches/updates

Explanation
BouncyCastle is vulnerable due to Improper Verification of Cryptographic Signature. The constructor in the ArmoredInputStream class does not properly sanitize ASCII armor header keys when processing signed messages. An attacker can exploit this vulnerability by intercepting and altering a signed message, including text not covered by the signature, and tricking the recipient into believing it is part of the signed message.

Detection
The application is vulnerable by using this component.

Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue. At the time of Deep Dive research, a version containing the fix is not available on the NuGet repository. Note: For the implemented fix to work, it is necessary to enable the validateAllowedHeaders setting. Reference: #2084 (comment) Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.nce:

Next Non-Vulnerable Version
There are no component versions available with zero published vulnerabilities.

Greatest Non-Vulnerable Version
There are no component versions available with zero published vulnerabilities.

Links
#2084
https://www.bouncycastle.org/download/bouncy-castle-java/?filter=java%3Drelease-1-81

[dghgit]

Whoever it is that's responsible for this record, I'm guessing you've been sent it, should actually read what's in #2084 before issuing anymore advisories like this.

We have a lot to do, and limited resources to do them with. Issues like this which are based on fundamental misunderstandings of both cryptography and OpenPGP protocol are a complete waste of our time, the time of our users, and the time of people who really are serious about finding security issues in our APIs.

Please go back to whoever is responsible for this and ask them to stop.