You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via javax.crypto.Cipher exceptions and the OAEP interface vector leaks via the bit size of the decrypted data.
Remediation
Upgrade org.bouncycastle:bcprov-jdk18on to version 1.78 or higher.
SNYK-JAVA-ORGBOUNCYCASTLE-6277381 - Observable Timing Discrepancy in org.bouncycastle:bcprov-jdk18on
org.bouncycastle:bcprov-jdk18on
Introduced through: org.keycloak:keycloak-quarkus-server-deployment@999.0.0-SNAPSHOT › org.keycloak:keycloak-quarkus-server@999.0.0-SNAPSHOT › org.keycloak:keycloak-crypto-default@999.0.0-SNAPSHOT › org.bouncycastle:bcprov-jdk18on@1.77
Overview
Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via
javax.crypto.Cipher
exceptions and the OAEP interface vector leaks via the bit size of the decrypted data.Remediation
Upgrade
org.bouncycastle:bcprov-jdk18on
to version 1.78 or higher.References
The text was updated successfully, but these errors were encountered: